Vulnerabilities Introduced in CNAB after using cpa buildbundle
Hi, this is my first post here. I am following the instructions in the article Prepare your Azure container technical assets for a Kubernetes application – Marketplace publisher |…
I used the command cpa buildbundle to build and upload the CNAB to my Azure Container Registry (ACR), but the Defender scan shows vulnerabilities in the CNAB bundle, even though my solution image is free of vulnerabilities. I also scanned the image with Trivy and found Critical and high vulnerabilities in Helm 3, kubectl, and the Docker Engine (Moby).
The approach mentioned in the technical asset mounts the Docker engine of the host machine to the Microsoft’s image mcr.microsoft.com/container-package-app:latest. My host machine has the Community Edition of Docker Engine, yet the Moby issue persists
.
Inside the container, I tried running `tdnf clean all && tdnf update`, which updated Moby, but I was unable to update kubectl and Helm.
Should I be concerned about these vulnerabilities? I believe they may have been introduced by the CPA tool. The documentation states that for marketplace listings, the repository must be free of vulnerabilities. Additionally, it mentions in the limitations section that single containers are not supported, and my current offering contains only single image.
Any tips on how I can address this issue or any remediation steps would be greatly appreciated.
Thanks!
Asif
Hi, this is my first post here. I am following the instructions in the article Prepare your Azure container technical assets for a Kubernetes application – Marketplace publisher |… I used the command cpa buildbundle to build and upload the CNAB to my Azure Container Registry (ACR), but the Defender scan shows vulnerabilities in the CNAB bundle, even though my solution image is free of vulnerabilities. I also scanned the image with Trivy and found Critical and high vulnerabilities in Helm 3, kubectl, and the Docker Engine (Moby).The approach mentioned in the technical asset mounts the Docker engine of the host machine to the Microsoft’s image mcr.microsoft.com/container-package-app:latest. My host machine has the Community Edition of Docker Engine, yet the Moby issue persists.Inside the container, I tried running `tdnf clean all && tdnf update`, which updated Moby, but I was unable to update kubectl and Helm.Should I be concerned about these vulnerabilities? I believe they may have been introduced by the CPA tool. The documentation states that for marketplace listings, the repository must be free of vulnerabilities. Additionally, it mentions in the limitations section that single containers are not supported, and my current offering contains only single image.Any tips on how I can address this issue or any remediation steps would be greatly appreciated.Thanks!Asif Read More