Twistlock CVE Findings

[jjtroberts]

Describe the bug
At Platform One we continuously scan hardened images using Twistlock, Anchore, and OpenSCAP. Our recent scans returned findings for go1.17.5 on a number of controller images:

• public.ecr.aws/aws-controllers-k8s/apigatewayv2-controller:v0.0.19
• public.ecr.aws/aws-controllers-k8s/dynamodb-controller:v0.0.18
• public.ecr.aws/aws-controllers-k8s/elasticache-controller:v0.0.16
• public.ecr.aws/aws-controllers-k8s/s3-controller:v0.0.17

CVE-2022-23806
Twistlock
go-1.17.5
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

Expected outcome
The go.mod for each of those controllers is set to go 1.17. I would expect that latest builds would use the latest version of go1.17.x, however they seem to be pinned at 1.17.5.

Just looking for information on your build process so we can know how to justify these findings in Iron Bank. For example, when we justify a high finding we also need to add information on whether or not upstream is tracking the issue, and if so, when a fix is expected.

[RedbackThomson]

Thanks for reaching out, Joe!
We build the binaries for our controllers using this Dockerfile. We have it pinned to 1.17.5, as that was the latest 1.17.x released when we last updated it.

We would like to switch to using the golang image from https://github.com/aws/eks-distro-build-tooling as our base, but that has not been updated to 1.17.

It might be a good move to change the current tag to bitnami/golang:1.17 so that we always pick up the latest minor and patch versions?

[jjtroberts]

That would be helpful, thank you.

[jaypipes]

It might be a good move to change the current tag to bitnami/golang:1.17 so that we always pick up the latest minor and patch versions?

Yes, @RedbackThomson let's go ahead and do that please!

[RedbackThomson]

Opened a PR to make the change I suggested: aws-controllers-k8s/code-generator#316

Once this is merged, I might release a new code-generator version so we can push these changes through to all controllers.

I also opened a feature request in the EKS-D tooling repo, so they're aware we're waiting on 1.17: aws/eks-distro-build-tooling#342

[RedbackThomson]

I've created pull requests with new releases for each of the controllers you've listed in this issue. All controllers will have updated Go versions when the next wave of runtime releases are made:

aws-controllers-k8s/elasticache-controller#86
aws-controllers-k8s/apigatewayv2-controller#35
aws-controllers-k8s/s3-controller#74
aws-controllers-k8s/dynamodb-controller#36

[jjtroberts]

@RedbackThomson that is very gracious of you. Thanks for taking the time to update those repos. I should mention that we do have two other controllers we're tracking: ecr and sns in this project.

https://github.com/aws-controllers-k8s/ecr-controller
https://github.com/aws-controllers-k8s/sns-controller

[RedbackThomson]

The SNS controller has not had an official release, so there is nothing for me to do there. But I can do ecr 👍🏼

aws-controllers-k8s/ecr-controller#43

[RedbackThomson]

Thanks @vijtrip2 for all of the fast reviews and merged. The newest ECR controller release should contain these changes now too.

Let me know if there is anything more that needs fixing! Otherwise, we should be good to go for now.