UNCLASSIFIED - NO CUI

Skip to content

chore(findings): ironbank-pipelines/pipeline-runner

Summary

ironbank-pipelines/pipeline-runner has 107 new findings discovered during continuous monitoring.

id source severity package
CVE-2023-24538 Anchore CVE Medium buildah-1:1.29.1-2.el9_2
CVE-2023-29491 Anchore CVE Medium ncurses-6.2-8.20210508.el9
CVE-2022-30631 Anchore CVE Medium skopeo-2:1.11.2-0.1.el9
CVE-2023-24534 Anchore CVE Medium buildah-1:1.29.1-2.el9_2
CVE-2022-41723 Anchore CVE Medium skopeo-2:1.11.2-0.1.el9
CVE-2023-24539 Anchore CVE Medium buildah-1:1.29.1-2.el9_2
CVE-2022-41725 Anchore CVE Medium skopeo-2:1.11.2-0.1.el9
CVE-2023-24540 Anchore CVE High skopeo-2:1.11.2-0.1.el9
CVE-2023-24540 Anchore CVE High buildah-1:1.29.1-2.el9_2
CVE-2023-24539 Anchore CVE Medium skopeo-2:1.11.2-0.1.el9
CVE-2023-29400 Anchore CVE Medium skopeo-2:1.11.2-0.1.el9
CVE-2023-0286 Anchore CVE High compat-openssl11-1:1.1.1k-4.el9_0
CVE-2023-24538 Anchore CVE Medium skopeo-2:1.11.2-0.1.el9
CVE-2022-41724 Anchore CVE Medium skopeo-2:1.11.2-0.1.el9
CVE-2022-41725 Anchore CVE Medium buildah-1:1.29.1-2.el9_2
CVE-2023-29400 Anchore CVE Medium buildah-1:1.29.1-2.el9_2
CVE-2023-24534 Anchore CVE Medium skopeo-2:1.11.2-0.1.el9
CVE-2022-41318 Anchore CVE High squid-7:4.15-6.module_el8.8.0+1236+bbc41960
GHSA-hqxw-f8mx-cpmw Anchore CVE High github.com/docker/distribution-v2.8.1+incompatible
CVE-2022-41724 Anchore CVE Medium buildah-1:1.29.1-2.el9_2
CVE-2023-25173 Anchore CVE Medium buildah-1:1.29.1-2.el9_2
CVE-2023-24537 Anchore CVE Medium skopeo-2:1.11.2-0.1.el9
CVE-2021-46784 Anchore CVE High squid-7:4.15-6.module_el8.8.0+1236+bbc41960
CVE-2022-48468 Anchore CVE Medium protobuf-c-1.3.3-12.el9
CVE-2022-41723 Anchore CVE Medium buildah-1:1.29.1-2.el9_2
GHSA-frqx-jfcm-6jjr Anchore CVE Medium github.com/sigstore/rekor-v1.1.0
GHSA-2q89-485c-9j2x Anchore CVE Medium github.com/cloudflare/circl-v1.1.0
CVE-2022-30631 Anchore CVE Medium buildah-1:1.29.1-2.el9_2
CVE-2023-24536 Anchore CVE Medium skopeo-2:1.11.2-0.1.el9
GHSA-2h5h-59f5-c5x9 Anchore CVE High github.com/sigstore/rekor-v1.1.0
CVE-2023-24536 Anchore CVE Medium buildah-1:1.29.1-2.el9_2
CVE-2023-31484 Anchore CVE Medium perl-IPC-Open3-0:1.21-480.el9
CVE-2023-31484 Anchore CVE Medium perl-File-Basename-0:2.85-480.el9
CVE-2023-31484 Anchore CVE Medium perl-Class-Struct-0:0.66-480.el9
CVE-2023-31484 Anchore CVE Medium perl-File-Find-0:1.37-480.el9
CVE-2023-31484 Anchore CVE Medium perl-POSIX-0:1.94-480.el9
CVE-2023-31484 Anchore CVE Medium perl-vars-0:1.05-480.el9
CVE-2023-31484 Anchore CVE Medium perl-Getopt-Std-0:1.12-480.el9
CVE-2023-31484 Anchore CVE Medium perl-B-0:1.80-480.el9
CVE-2023-31484 Anchore CVE Medium perl-IO-0:1.43-480.el9
CVE-2023-31484 Anchore CVE Medium perl-overloading-0:0.02-480.el9
CVE-2023-31484 Anchore CVE Medium perl-FileHandle-0:2.03-480.el9
CVE-2023-31484 Anchore CVE Medium perl-if-0:0.60.800-480.el9
CVE-2023-31484 Anchore CVE Medium perl-subs-0:1.03-480.el9
CVE-2023-31484 Anchore CVE Medium perl-Errno-0:1.30-480.el9
CVE-2023-31484 Anchore CVE Medium perl-AutoLoader-0:5.74-480.el9
CVE-2023-31484 Anchore CVE Medium perl-libs-4:5.32.1-480.el9
CVE-2023-31484 Anchore CVE Medium perl-SelectSaver-0:1.02-480.el9
CVE-2023-31484 Anchore CVE Medium perl-interpreter-4:5.32.1-480.el9
CVE-2023-31484 Anchore CVE Medium perl-DynaLoader-0:1.47-480.el9
CVE-2023-31484 Anchore CVE Medium perl-mro-0:1.23-480.el9
CVE-2023-31484 Anchore CVE Medium perl-overload-0:1.31-480.el9
CVE-2023-31484 Anchore CVE Medium perl-base-0:2.27-480.el9
CVE-2023-31484 Anchore CVE Medium perl-Fcntl-0:1.13-480.el9
CVE-2023-31484 Anchore CVE Medium perl-Symbol-0:1.08-480.el9
CVE-2023-31484 Anchore CVE Medium perl-Math-Complex-0:1.59-480.el9
CVE-2023-31484 Anchore CVE Medium perl-File-stat-0:1.09-480.el9
CVE-2023-31484 Anchore CVE Medium perl-NDBM_File-0:1.15-480.el9
CVE-2023-31484 Anchore CVE Medium perl-lib-0:0.65-480.el9
CVE-2023-31484 Anchore CVE Medium perl-English-0:1.11-480.el9
CCE-83908-4 OSCAP Compliance Medium
CCE-83906-8 OSCAP Compliance Medium
CCE-83903-5 OSCAP Compliance Medium
CCE-83895-3 OSCAP Compliance Medium
CVE-2023-29405 Twistlock CVE Critical go-1.19.6
CVE-2023-29405 Twistlock CVE Critical go-1.19.4
CVE-2023-29405 Twistlock CVE Critical go-1.20.4
CVE-2023-29405 Twistlock CVE Critical go-1.20.3
CVE-2023-29404 Twistlock CVE Critical go-1.19.4
CVE-2023-29404 Twistlock CVE Critical go-1.20.4
CVE-2023-29404 Twistlock CVE Critical go-1.19.6
CVE-2023-29404 Twistlock CVE Critical go-1.20.3
CVE-2023-24540 Twistlock CVE Critical go-1.19.4
CVE-2023-24540 Twistlock CVE Critical go-1.20.3
CVE-2023-24540 Twistlock CVE Critical go-1.19.6
CVE-2023-24538 Twistlock CVE Critical go-1.19.6
CVE-2023-24538 Twistlock CVE Critical go-1.19.4
CVE-2023-29403 Twistlock CVE High go-1.20.3
CVE-2023-29403 Twistlock CVE High go-1.19.6
CVE-2023-29403 Twistlock CVE High go-1.19.4
CVE-2023-29403 Twistlock CVE High go-1.20.4
PRISMA-2022-0227 Twistlock CVE High github.com/emicklei/go-restful/v3-v3.8.0
CVE-2023-24537 Twistlock CVE High go-1.19.6
CVE-2023-24537 Twistlock CVE High go-1.19.4
CVE-2023-24536 Twistlock CVE High go-1.19.4
CVE-2023-24536 Twistlock CVE High go-1.19.6
CVE-2023-24534 Twistlock CVE High go-1.19.4
CVE-2023-24534 Twistlock CVE High go-1.19.6
CVE-2022-41725 Twistlock CVE High go-1.19.4
CVE-2022-41724 Twistlock CVE High go-1.19.4
CVE-2023-29400 Twistlock CVE High go-1.19.6
CVE-2023-29400 Twistlock CVE High go-1.20.3
CVE-2023-29400 Twistlock CVE High go-1.19.4
CVE-2023-24539 Twistlock CVE High go-1.19.6
CVE-2023-24539 Twistlock CVE High go-1.20.3
CVE-2023-24539 Twistlock CVE High go-1.19.4
CVE-2023-30551 Twistlock CVE High github.com/sigstore/rekor-v1.1.0
CVE-2023-2253 Twistlock CVE High github.com/docker/distribution-v2.8.1
PRISMA-2023-0056 Twistlock CVE Medium github.com/sirupsen/logrus-v1.9.0
CVE-2023-24532 Twistlock CVE Medium go-1.19.6
CVE-2023-24532 Twistlock CVE Medium go-1.19.4
CVE-2023-33199 Twistlock CVE Medium github.com/sigstore/rekor-v1.1.0
CVE-2023-1732 Twistlock CVE Medium github.com/cloudflare/circl-v1.1.0
CVE-2023-29402 Twistlock CVE Critical go-1.20.4
CVE-2023-29402 Twistlock CVE Critical go-1.20.3
CVE-2023-29402 Twistlock CVE Critical go-1.19.6
CVE-2023-29402 Twistlock CVE Critical go-1.19.4

VAT: https://vat.dso.mil/vat/image?imageName=ironbank-pipelines/pipeline-runner&tag=v0.10.2&branch=master
More information can be found in the failed pipeline located here: https://repo1.dso.mil/dsop/ironbank-pipelines/pipeline-runner/-/jobs/15370182

Tasks

Contributor:

  • Provide justifications for findings in the VAT (docs)
  • Apply the ~"Hardening::Approval" label to this issue and wait for feedback

Iron Bank:

  • Review findings and justifications
  • Send approval request to Authorizing Official
  • Close issue after approval from Authorizing Official

Note: If the above approval process is rejected for any reason, the Approval label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Approval label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by Ghost User
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI