chore(findings): ironbank-pipelines/pipeline-runner
Summary
ironbank-pipelines/pipeline-runner has 86 new findings discovered during continuous monitoring.
id | source | severity | package |
---|---|---|---|
b59c4bf2abe54300ad1cedf436da87a6 | Anchore Compliance | Low | |
ec7c2458dcae971eddd19e2b01829d96 | Anchore Compliance | Low | |
9b6af07f2d1d2aff3f91c8a29dbc9c22 | Anchore Compliance | Low | |
d77ab8c588293dab6de1caf69d5e44b9 | Anchore Compliance | Critical | |
CVE-2024-28180 | Anchore CVE | Medium | skopeo-2:1.13.3-4.el9_3 |
CVE-2023-27043 | Anchore CVE | Medium | python3.11-libs-3.11.5-1.el9_3 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.17.0 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.17.0 |
GHSA-c5pj-mqfh-rvc3 | Anchore CVE | High | github.com/opencontainers/runc-v1.1.12 |
GHSA-mq39-4gv4-mvpx | Anchore CVE | Medium | github.com/docker/docker-v25.0.3+incompatible |
CVE-2023-6129 | Anchore CVE | Low | openssl-1:3.0.7-25.el9_3 |
CVE-2023-27043 | Anchore CVE | Medium | python3.11-3.11.5-1.el9_3 |
CVE-2023-6597 | Anchore CVE | High | python3.11-3.11.5-1.el9_3 |
CVE-2024-32487 | Anchore CVE | High | less-590-3.el9_3 |
CVE-2024-2397 | Anchore CVE | Low | libpcap-14:1.10.0-4.el9 |
GHSA-pxhw-596r-rwq5 | Anchore CVE | Low | k8s.io/kubernetes-v1.29.0 |
CVE-2024-0450 | Anchore CVE | Medium | python3.11-3.11.5-1.el9_3 |
CVE-2023-7008 | Anchore CVE | Medium | systemd-rpm-macros-252-18.el9 |
GHSA-88jx-383q-w4qc | Anchore CVE | Medium | github.com/sigstore/cosign/v2-v2.2.3 |
GHSA-c5pj-mqfh-rvc3 | Anchore CVE | High | github.com/opencontainers/runc-v1.1.5 |
CVE-2023-3446 | Anchore CVE | Low | openssl-1:3.0.7-25.el9_3 |
CVE-2023-7008 | Anchore CVE | Medium | systemd-252-18.el9 |
CVE-2023-5678 | Anchore CVE | Low | openssl-1:3.0.7-25.el9_3 |
CVE-2024-27316 | Anchore CVE | Medium | httpd-filesystem-2.4.57-5.el9 |
GHSA-95pr-fxf5-86gv | Anchore CVE | Medium | github.com/sigstore/cosign/v2-v2.2.3 |
CVE-2023-38709 | Anchore CVE | Medium | httpd-filesystem-2.4.57-5.el9 |
CVE-2023-6597 | Anchore CVE | High | python3.11-libs-3.11.5-1.el9_3 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.17.0 |
CVE-2021-3997 | Anchore CVE | Medium | systemd-rpm-macros-252-18.el9 |
CVE-2021-3997 | Anchore CVE | Medium | systemd-pam-252-18.el9 |
CVE-2024-0450 | Anchore CVE | Medium | python3.11-libs-3.11.5-1.el9_3 |
CVE-2023-6237 | Anchore CVE | Low | openssl-1:3.0.7-25.el9_3 |
GHSA-jq35-85cj-fj4p | Anchore CVE | Medium | github.com/docker/docker-v24.0.0+incompatible |
GHSA-xw73-rw38-6vjc | Anchore CVE | Medium | github.com/docker/docker-v24.0.0+incompatible |
CVE-2024-1394 | Anchore CVE | High | skopeo-2:1.13.3-4.el9_3 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.20.0 |
GHSA-3f2q-6294-fmq5 | Anchore CVE | High | github.com/whilp/git-urls-v1.0.0 |
CVE-2024-22365 | Anchore CVE | Medium | pam-1.5.1-15.el9 |
GHSA-jjg7-2v4v-x38h | Anchore CVE | Medium | idna-3.6 |
CVE-2021-3997 | Anchore CVE | Medium | systemd-252-18.el9 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.22.0 |
CVE-2023-7008 | Anchore CVE | Medium | systemd-pam-252-18.el9 |
CVE-2024-0727 | Anchore CVE | Low | openssl-1:3.0.7-25.el9_3 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.11.0 |
CVE-2023-2975 | Anchore CVE | Low | openssl-1:3.0.7-25.el9_3 |
CVE-2023-3817 | Anchore CVE | Low | openssl-1:3.0.7-25.el9_3 |
CVE-2024-2511 | Anchore CVE | Low | openssl-1:3.0.7-25.el9_3 |
GHSA-rhh4-rh7c-7r5v | Anchore CVE | Medium | github.com/mholt/archiver/v3-v3.5.1 |
CCE-83611-4 | OSCAP Compliance | High | |
CVE-2024-32487 | Twistlock CVE | Critical | less-590-3.el9_3 |
PRISMA-2022-0168 | Twistlock CVE | High | pip-22.3.1 |
CVE-2023-46402 | Twistlock CVE | High | github.com/whilp/git-urls-v1.0.0 |
CVE-2024-27316 | Twistlock CVE | Medium | httpd-filesystem-2.4.57-5.el9 |
CVE-2023-36632 | Twistlock CVE | Medium | python3.11-3.11.5-1.el9_3 |
CVE-2023-36632 | Twistlock CVE | Medium | python3.11-libs-3.11.5-1.el9_3 |
CVE-2024-24557 | Twistlock CVE | Medium | github.com/docker/docker-v24.0.0 |
CVE-2023-38709 | Twistlock CVE | Medium | httpd-filesystem-2.4.57-5.el9 |
PRISMA-2023-0056 | Twistlock CVE | Medium | github.com/sirupsen/logrus-v1.9.1 |
CVE-2024-3651 | Twistlock CVE | Medium | idna-3.6 |
CVE-2023-7008 | Twistlock CVE | Medium | systemd-252-18.el9 |
CVE-2023-7008 | Twistlock CVE | Medium | systemd-pam-252-18.el9 |
CVE-2023-7008 | Twistlock CVE | Medium | systemd-rpm-macros-252-18.el9 |
CVE-2024-22365 | Twistlock CVE | Medium | pam-1.5.1-15.el9 |
CVE-2022-40896 | Twistlock CVE | Medium | python3.11-pip-22.3.1-4.el9_3.1 |
CVE-2022-40896 | Twistlock CVE | Medium | python3.11-pip-wheel-22.3.1-4.el9_3.1 |
CVE-2021-3997 | Twistlock CVE | Medium | systemd-252-18.el9 |
CVE-2021-3997 | Twistlock CVE | Medium | systemd-rpm-macros-252-18.el9 |
CVE-2021-3997 | Twistlock CVE | Medium | systemd-pam-252-18.el9 |
CVE-2023-27043 | Twistlock CVE | Medium | python3.11-3.11.5-1.el9_3 |
CVE-2023-27043 | Twistlock CVE | Medium | python3.11-libs-3.11.5-1.el9_3 |
CVE-2024-29903 | Twistlock CVE | Medium | github.com/sigstore/cosign/v2-v2.2.3 |
CVE-2024-29902 | Twistlock CVE | Medium | github.com/sigstore/cosign/v2-v2.2.3 |
GHSA-jq35-85cj-fj4p | Twistlock CVE | Medium | github.com/docker/docker-v24.0.0 |
CVE-2023-45288 | Twistlock CVE | Medium | golang.org/x/net/http2-v0.17.0 |
CVE-2023-45288 | Twistlock CVE | Medium | golang.org/x/net/http2-v0.20.0 |
CVE-2023-45288 | Twistlock CVE | Medium | golang.org/x/net/http2-v0.22.0 |
CVE-2023-6129 | Twistlock CVE | Low | openssl-3.0.7-25.el9_3 |
CVE-2023-6237 | Twistlock CVE | Low | openssl-3.0.7-25.el9_3 |
CVE-2024-2397 | Twistlock CVE | Low | libpcap-1.10.0-4.el9 |
CVE-2024-0727 | Twistlock CVE | Low | openssl-3.0.7-25.el9_3 |
CVE-2023-5678 | Twistlock CVE | Low | openssl-3.0.7-25.el9_3 |
CVE-2023-3817 | Twistlock CVE | Low | openssl-3.0.7-25.el9_3 |
CVE-2023-3446 | Twistlock CVE | Low | openssl-3.0.7-25.el9_3 |
CVE-2023-2975 | Twistlock CVE | Low | openssl-3.0.7-25.el9_3 |
CVE-2024-2511 | Twistlock CVE | Low | openssl-3.0.7-25.el9_3 |
CVE-2023-39804 | Twistlock CVE | Low | tar-1.34-6.el9_1 |
VAT: https://vat.dso.mil/vat/image?imageName=ironbank-pipelines/pipeline-runner&tag=0.0.30&branch=master
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=ironbank-pipelines/pipeline-runner&tag=0.12.0&branch=master
Tasks
Contributor:
-
Provide justifications for findings in the VAT (docs) -
Apply the StatusVerification label to this issue and wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
Verification
label will be removed and the issue will be sent back toOpen
. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theVerification
label.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding
.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.