multiple security vulnerabilities in nri-ecs image

[jaguwalapratik]

Is your feature request related to a problem? Please describe.

Recently we started integrating nri-ecs image in ECS cluster as per the how-to's document and we were successful. However during initial integration in lower environments it's been found that the image contains multiple security vulnerabilities which is blocking us to proceed further. NewRelic Support suggested to open issue over here to track it.

nri-ecs version: 1.8.0

Feature Description

Can we have this vulnerabilities addressed which will unblock us to take it further.

Priority

Please help us better understand this feature request by choosing a priority from the following options:
Blocker

Attaching the list of vulnerabilities:
nri-ecs-image-vulnerabilities.csv

[marcsanmi]

Hi,

Thanks for creating this issue. Could you use the last version of the nri-ecs integration? At the time of writing is v.1.8.1. In this version there are several bumps that uses the last version of infrastructure-bundle.

[jaguwalapratik]

Hi @marcsanmi

I tried the new version and it's improved, number came down below 60 (previously it was well above 80 or 90). However still not acceptable from ITSec team.

If we refer below table, i see most of the vulnerabilities are around older go version that are being used in multiple places.

Type	Highest severity	Description
Application	critical	go version 1.14.15 has 22 vulnerabilities (2 Critical, rest are high, medium and low)
Application	critical	go version 1.16.5 has 14 vulnerabilities (2 Critical, rest are high, medium and low)
go	high	github.com/kardianos/service version v1.2.1 has 1 vulnerability
Application	high	go version 1.18 has 2 vulnerabilities
Application	high	go version 1.16.15 has 3 vulnerabilities
OS	high	busybox (used in ssl_client, busybox) version 1.35.0-r14 has 1 vulnerability
go	moderate	github.com/containerd/containerd version v1.5.10 has 1 vulnerability
go	medium	github.com/aws/aws-sdk-go version v1.25.14-0.20200515182354-0961961790e6 has 3 vulnerabilities
go	medium	github.com/aws/aws-sdk-go version v1.21.10 has 3 vulnerabilities
go	low	github.com/opencontainers/image-spec version v1.0.1 has 1 vulnerability
go	low	github.com/docker/distribution version v2.7.1 has 1 vulnerability
go	low	github.com/docker/distribution version v2.7.1-0.20190205005809-0d3efadf0154 has 1 vulnerability

 

[paologallinaharbur]

Hello, the latest version solved all issues marked as critical and high.

We are constantly patching all dependencies and bumping integration versions to make sure to minimize the vulnerabilities opened.