[
https://issues.apache.org/jira/browse/YUNIKORN-964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17453739#comment-17453739
]
Wilfred Spiegelenburg commented on YUNIKORN-964:
------------------------------------------------
The web build has a build in nginx version that needs to be updated. That will
update the alpine image also and move it to alpine:3.14.3
The Dockerfile used from the shim builds pull in the latest alpine images so
the OS issues will be fixed automatically as the latest is currently pointing
to 3.15.
For the K8s vulnerabilities found in the scheduler image: we have moved our
dependency to v1.20.11. This has fixed all mentioned K8s vulnerabilities in the
report.
The gogo protobuf issue is not directly our issue to fix as we do not use gogo.
K8s has fixed the issue in 1.20.1 and later so we have no issue after out
upgrade left.
The go vulnerability is not relevant as we do no use a SSH server. However
compiling with the most recent version of Go (1.16.11 or 1.17.4) fixes that
issue.
[~yuchaoran] we need to get the web docker image fix into v0.12.
> Fix vulnerabilities reported by artifacthub
> -------------------------------------------
>
> Key: YUNIKORN-964
> URL: https://issues.apache.org/jira/browse/YUNIKORN-964
> Project: Apache YuniKorn
> Issue Type: Bug
> Reporter: Kinga Marton
> Assignee: Wilfred Spiegelenburg
> Priority: Blocker
> Labels: pull-request-available
> Fix For: 0.12
>
>
> Artifacthub has a security report for each image.
> We need to check and fix the reported vulnerabilities:
> [https://artifacthub.io/packages/helm/yunikorn/yunikorn/0.11.0?modal=security-report]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@yunikorn.apache.org
For additional commands, e-mail: issues-h...@yunikorn.apache.org
