CVEs in v2.13.0

[jranabahu]

What happened:

trivy scanning reports 3(1 HIGH and 2 MEDIUM) CVEs in 2.13.0 image.

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.5            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│         │                │          │        │                   │                │ containing deeply nested literals...                        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│         │                │          │        │                   │                │ build tag line with...                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

What you expected to happen:
For this for get resolved with the updates. Atleast for high severity.

How to reproduce it (as minimally and precisely as possible):
Scanning the image through trivy

Anything else we need to know?:
Let me know if this is not right way to submit

• kube-state-metrics version: 2.13.0
• Kubernetes version (use kubectl version):
• Cloud provider or hardware configuration:
• Other info:

[dgrisonnet]

/triage accepted
/help

[k8s-ci-robot]

@dgrisonnet:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/triage accepted
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jranabahu]

I can see that this is fixed with PR: #2493.
Could you do a release with these changes since this is a CVE fix?

[martidelviscovo]

Hello! Any updates here? Can we do a release with this fix please?

[dgrisonnet]

Looking briefly at the CVEs, the codebase shouldn't be impacted, so I don't think we need to urgently cut a new release to fix them.

cc @mrueg

[PelagicGames]

Is there a case for a patch release (2.13.1)?

[dgrisonnet]

There could be, but I think @mrueg wanted to cut 2.14.0 soon

[mrueg]

I agree with @dgrisonnet, please provide more info if you believe kube-state-metrics is affected by the CVEs, otherwise I'd treat them as a false positive and you can use https:/openvex/vexctl to silence those.

I have created a milestone for v2.14.0 if you want to follow that for the release.

[martidelviscovo]

Hello @mrueg, thank you for opening the milestone. I see no due date, is there an estimate for when 2.14 would be cut though? Thanks!