As noted in https://access.redhat.com/support/cases/#/case/02771740 the console container may be flagged due to dependencies in vendors/modulest.txt.
A recent example of this was from jfrog xray flagging the runc dependency for CVE-2019-5736.
Though this dependency is vendored (the code exists in vendor directories) the console does not actually use this one in particular anywhere.
Investigate if we can clean up any dependencies to prevent invalid flagging during security scans.
In addition to any clean up, we should review dependencies that can be updated to ensure we have the latest fixes
Matthew we updated the opencontainers/runc module to 1.0.0-rc8 which should carry fix.
Do we need to backport the fix to 4.6?
Yes, please backport to 4.6. The customer is also running 4.5.7 and 4.5.11, so backporting to 4.5.x is desired.
Fix is not contained in payload: 4.7.0-0.nightly-2020-10-27-051128, wait for new build.
Clone latest console repo
$ go mod graph | grep opencontainers/runc
github.com/Microsoftemail@example.com firstname.lastname@example.org (is a dependency of deislabs/oras)
$ go list -m all | grep opencontainers/runc (OK)
github.com/opencontainers/runc v0.1.1 => github.com/opencontainers/runc v1.0.0-rc8.0.20190926150303-84373aaa560b
$ go list -m all | grep deislabs/oras
$ go list -m all | grep openshift/library-go (OK)
Moving to VERIFIED, let me know if it is wrong
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.