Red Hat Bugzilla – Bug 1387301
Cassandra: CVEs on latest docker image by OpenSCAP
Last modified: 2018-03-05 10:03:44 EST
Description of problem: Did run the CVE scan of OpenSCAP tool on "jboss/cassandra" and it showed Vulnerabilities. Version-Release number of selected component (if applicable): Digest: sha256:106c72a637f0465aeeb5ad158600a8ccf0a41e5a1715fbe469afade63fd1721a
Comment 11 represents a new workflow that I am recently informed of. Might require further discussion. Documenting the actions and follow-up fully here. Replied as follows: From: "Michael Foley" <mfoley@redhat.com> To: "Chris Pelland" <cpelland@redhat.com> Cc: "Satoe Imaishi" <simaishi@redhat.com>, "Heiko W.Rupp" <hrupp@redhat.com>, "Dave Johnson" <dajohnso@redhat.com>, "Matthew Mahoney" <mmahoney@redhat.com> Sent: Friday, November 11, 2016 3:09:27 PM Subject: Re: Open Blockers for the Parallel Teams Hi Chris, Thank you for your email. Just so I am clear in my response, I just want to clearly identify the bugzillas in scope for this discussion: and a brief summary. https://bugzilla.redhat.com/show_bug.cgi?id=1387301 https://bugzilla.redhat.com/show_bug.cgi?id=1387309 The bugs are related to security flaws in the docker containers for the Middleware Provider. I also want to begin by saying that I am open to learning the existing bugzilla workflow, as well as optimizing and changing the bugzilla workflow as needed. Having said that ... I want to understand and de-construct comment #11 on that bugzilla .... I think I understand what you are saying ...and your intentions. You are suggesting that software defects that do not require a code change in ManageIQ/CFME ruby code base should not be categorized in Bugzilla under the Cloudforms product with the component set to Middleware Provider. Message received. This is however different than the bugzilla workflow we have agreed to follow. The current bugzilla workflow ...as it stands now ... is for software defects in the Middleware Provider to be logged as follows: Product = Cloudforms Component = Provider Cloudforms Team = Middleware When defects are found in the Middleware Provider ... e.g. a requirement is not met, a use-case does not work, etc .... it is not known in which codebase the defect lies. It could be: in the CFME ruby codebase in the Hawkular Java codebase in both the CFME ruby codebase and the Hawkular Java codebase in the codebase of another dependency ...such as Cassandra or in this case ... in the upstream docker containers provided by the cloud enablement team upon which the Middleware Provider is layered So comment 11 ...and the decision to close bugs that do not require code changes in the CFME Ruby codebase represent a new departure from the bugzilla workflow that is much different than my current understanding and different from the workflow that we are currently following. I would like to learn more about this new workflow ... how other providers handle this .. so that the software defects for the Middleware Provider can be handled in a known, consistent, and workable mannaer. I'm adding in Matt Mahoney ...who does the bug triage on the Middleware Provider ...and Dave Johnson ... so we are all on the same page on this new process. I'll set up a short meeting for next week so I can understand this further ... Regards, Michael
Reopening this bug by moving to 'Middleware Manager' product.
Tested on DR1 docker image brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/jboss-mm-7-tech-preview/middleware-manager-datastore:7.0.0-2 Digest: sha256:40caeeabda397306011dc7809dbe3ef68d7c95d1c77e29f7b52c941903cbc39b All missing CVEs are now included in docker image.