security: Track Possible Image Vulnerabilities

[scbizu]

Here will be a long issue track possible image vulnerabilities or CVEs reported by the community or our dependabot .

[scbizu]

helm/helm#10717 tracks the containerd containerd CRI plugin: Insecure handling of image volumes issue , will upgrade CM after helm upgrade this dependency.

[slachiewicz]

Artifacthub.io shows issues with the base image (busybox) and a few of our deps (etcd, contained, docker)
https://artifacthub.io/packages/helm/chartmuseum/chartmuseum

[Kiran-38]

Hi @scbizu, any update on the security vulnerability reported with #607 please.

[scbizu]

@Kiran-38 Thank you for the report , The storage PR will deprecate the old etcd dependency :) chartmuseum/storage#649

[Kiran-38]

@scbizu Thank you for the response. Can we have any date of fix for the etcd, or this fix will be in this version 0.15.0 or later. please let us know.

[Kiran-38]

Hi,
The chartMuseum binary contains the helm.sh/helm/v3 v3.9.3 library with is flagged as a security risk and need to update to the latest version 3.9.4 or later and above available for resolving the issue.

I see there is a branch dependabot created already to fix this can you merge with the main branch so that I can use it.

[Kiran-38]

@scbizu Thank you for the quick fix. It means a lot. Keep up the great work.

[Kiran-38]

Hi @scbizu, there are few vulnerability found in building chartmuseum. please find below list.

github.com/containerd/containerd-v1.6.3   
helm.sh/helm/v3-v3.9.0   
golang.org/x/net-v0.0.0-20220531201128-c960675eff93   
github.com/emicklei/go-restful-v2.9.5+incompatible   
golang.org/x/text-v0.3.7