Forum Discussion
Vulnerabilities Introduced in CNAB after using cpa buildbundle
Hi, this is my first post here. I am following the instructions in the article https://learn.microsoft.com/en-us/partner-center/marketplace/azure-container-technical-assets-kubernetes?tabs=windows%2Clinux2
I used the command cpa buildbundle to build and upload the CNAB to my Azure Container Registry (ACR), but the Defender scan shows vulnerabilities in the CNAB bundle, even though my solution image is free of vulnerabilities. I also scanned the image with Trivy and found Critical and high vulnerabilities in Helm 3, kubectl, and the Docker Engine (Moby).
The approach mentioned in the technical asset mounts the Docker engine of the host machine to the Microsoft's image mcr.microsoft.com/container-package-app:latest. My host machine has the Community Edition of Docker Engine, yet the Moby issue persists
.
Inside the container, I tried running `tdnf clean all && tdnf update`, which updated Moby, but I was unable to update kubectl and Helm.
Should I be concerned about these vulnerabilities? I believe they may have been introduced by the CPA tool. The documentation states that for marketplace listings, the repository must be free of vulnerabilities. Additionally, it mentions in the limitations section that single containers are not supported, and my current offering contains only single image.
Any tips on how I can address this issue or any remediation steps would be greatly appreciated.
Thanks!
Asif
asif158 thanks for your question! We only scan the image inside the CNAB, and not the tool. so as long as the images are ok, it is fine.
Regarding the actual vulnerabilities - our team is looking into that right now and I will keep you updated here with any news.
6 Replies
Is there any way to handle what is missing or syntax errors while verifying with the verify?, A syntax or structural issue in values.yaml, even though it exactly matches the reference in vaules.yaml Thanks Ashish
- justinroyal
Microsoft
Hi theedgespecialist - our team needs some more detailed information to understand your question here. Can you send me a direct message on the community site with more detailed information so we can better understand your question?
- justinroyal
Hi theedgespecialist - I have not gotten any additional information from you regarding this case, but here is some additional information that may be helpful:
You can try: helm template --generate-name .
and see if there is any error
Some good explanation of Trivy with Azure DevOps are available here: https://blog.rankiteo.com/devsecops-part-1-image-scanner-security/
- justinroyal
asif158 thanks for your question! We only scan the image inside the CNAB, and not the tool. so as long as the images are ok, it is fine.
Regarding the actual vulnerabilities - our team is looking into that right now and I will keep you updated here with any news.
- Thanks for the quick reply, justinroyal.
Regarding the second part of my question, I noticed in the limitations section that single containers are not supported. My current setup uses only a single image.
Would it be better to switch to two images, or is the current implementation sufficient?
Apologies for my writing—I'm still pretty new to this.
