INSIGHTS-636 - Fix insights-plugins vulnerabilities (#993)

* INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities * INSIGHTS-636 Fix insights-plugins vulnerabilities
FairwindsOps · Jan 17, 2025 · 529c5e1 · 529c5e1
1 parent 61a7975
commit 529c5e1
Show file tree

Hide file tree

Showing 13 changed files with 286 additions and 46 deletions.
diff --git a/fairwinds-insights.yaml b/fairwinds-insights.yaml
@@ -8,21 +8,21 @@ images:
     - quay.io/fairwinds/nova:v3.11
     - us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5.21
     - us-docker.pkg.dev/fairwinds-ops/oss/goldilocks:v4.13
-    - quay.io/fairwinds/insights-admission-controller:1.17.8
+    - quay.io/fairwinds/insights-admission-controller:1.17.10
     - quay.io/fairwinds/aws-costs:1.4.2
-    - quay.io/fairwinds/insights-ci:5.7.14
+    - quay.io/fairwinds/insights-ci:5.7.19
     - quay.io/fairwinds/cloud-costs:0.3.11
-    - quay.io/fairwinds/falco-agent:0.3.12
-    - quay.io/fairwinds/fw-kube-bench-aggregator:0.3.22
-    - quay.io/fairwinds/fw-kube-bench:0.5.4
+    - quay.io/fairwinds/falco-agent:0.3.14
+    - quay.io/fairwinds/fw-kube-bench-aggregator:0.3.25
+    - quay.io/fairwinds/fw-kube-bench:0.5.7
     - quay.io/fairwinds/kubectl:0.20.8
-    - quay.io/fairwinds/kyverno:0.3.3
-    - quay.io/fairwinds/fw-opa:2.5.6
+    - quay.io/fairwinds/kyverno:0.3.5
+    - quay.io/fairwinds/fw-opa:2.5.8
     - quay.io/fairwinds/postgres-partman:16.0.1
-    - quay.io/fairwinds/prometheus-collector:1.5.6
-    - quay.io/fairwinds/rbac-reporter:1.3.22
-    - quay.io/fairwinds/right-sizer:0.5.10
-    - quay.io/fairwinds/fw-trivy:0.31.5
+    - quay.io/fairwinds/prometheus-collector:1.5.8
+    - quay.io/fairwinds/rbac-reporter:1.3.24
+    - quay.io/fairwinds/right-sizer:0.5.12
+    - quay.io/fairwinds/fw-trivy:0.31.8
     - quay.io/fairwinds/insights-uploader:0.5.8
     - quay.io/fairwinds/insights-utils:0.0.9
-    - quay.io/fairwinds/workloads:2.6.13
+    - quay.io/fairwinds/workloads:2.6.15
diff --git a/go.work b/go.work
@@ -1,4 +1,4 @@
-go 1.23.0
+go 1.23.1
 
 toolchain go1.23.4
 

diff --git a/go.work.sum b/go.work.sum
diff --git a/plugins/ci/CHANGELOG.md b/plugins/ci/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## 5.7.19
+* Fixed helm vulnerability
+
 ## 5.7.18
 * Fixed trivy vulnerability
 

diff --git a/plugins/ci/Dockerfile b/plugins/ci/Dockerfile
@@ -5,7 +5,7 @@ ENV tfsecVersion=1.28.13
 ENV trivyVersion=0.58.2
 ENV polarisVersion=9.6.1
 ENV plutoVersion=5.21.1
-ENV helmVersion=3.16.4
+ENV helmVersion=3.17.0
 
 # Bash and openssl are  required by the Helm script.
 RUN apk update && apk --no-cache add curl bash openssl ca-certificates
@@ -14,8 +14,7 @@ RUN if [ "${TARGETARCH}" = "amd64" ] ; then trivyArch="64bit"; else trivyArch="$
 RUN curl -L https://github.com/aquasecurity/tfsec/releases/download/v${tfsecVersion}/tfsec_${tfsecVersion}_${TARGETOS}_${TARGETARCH}.tar.gz > tfsec.tar.gz && tar -xvf tfsec.tar.gz && mv ./tfsec /usr/local/bin/tfsec && chmod +x /usr/local/bin/tfsec && rm tfsec.tar.gz
 RUN curl -L "https://github.com/FairwindsOps/polaris/releases/download/$polarisVersion/polaris_${TARGETOS}_${TARGETARCH}.tar.gz" > polaris.tar.gz && tar -xvf polaris.tar.gz && chmod +x polaris && rm polaris.tar.gz && mv ./polaris /usr/local/bin/polaris
 RUN curl -L "https://github.com/FairwindsOps/pluto/releases/download/v$plutoVersion/pluto_${plutoVersion}_${TARGETOS}_${TARGETARCH}.tar.gz" > pluto.tar.gz && tar -xvf pluto.tar.gz && chmod +x pluto && rm pluto.tar.gz && mv ./pluto /usr/local/bin/pluto
-
-RUN DESIRED_VERSION=$helmVersion curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+RUN curl -L https://get.helm.sh/helm-v${helmVersion}-${TARGETOS}-${TARGETARCH}.tar.gz > helm.tar.gz && tar -xvf helm.tar.gz && mv ${TARGETOS}-${TARGETARCH}/helm /usr/local/bin/helm && rm helm.tar.gz
 
 FROM alpine:3.21
 WORKDIR /insights

diff --git a/plugins/ci/version.txt b/plugins/ci/version.txt
@@ -1 +1 @@
-5.7.18
+5.7.19
diff --git a/plugins/kube-bench-aggregator/CHANGELOG.md b/plugins/kube-bench-aggregator/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## 0.3.25
+* Bumped kube-bench lib
+
 ## 0.3.24
 * Bumped libs version
 

diff --git a/plugins/kube-bench-aggregator/go.mod b/plugins/kube-bench-aggregator/go.mod
@@ -1,40 +1,39 @@
 module github.com/fairwindsops/insights-plugins/plugins/kube-bench-aggregator
 
-go 1.23.0
+go 1.23.1
 
 toolchain go1.23.4
 
 require github.com/aquasecurity/kube-bench v0.9.4
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.32.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4 // indirect
 	github.com/aws/smithy-go v1.22.1 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
-	github.com/golang/glog v1.2.3 // indirect
+	github.com/golang/glog v1.2.4 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/onsi/gomega v1.34.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
-	github.com/sagikazarmark/locafero v0.6.0 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.19.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 // indirect
-	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/client-go v0.32.0 // indirect
+	k8s.io/client-go v0.32.1 // indirect
 )
diff --git a/plugins/kube-bench-aggregator/go.sum b/plugins/kube-bench-aggregator/go.sum
@@ -1,9 +1,9 @@
 github.com/aquasecurity/kube-bench v0.9.4 h1:6Aep3X6VpJT8MXPceBgumFHCvP2BucFba+/dfTDU7d0=
 github.com/aquasecurity/kube-bench v0.9.4/go.mod h1:lqi6+1i3oVIQUdPmnwk0LHH0nIfq4+PLLBFl9f58+iI=
-github.com/aws/aws-sdk-go-v2 v1.32.7 h1:ky5o35oENWi0JYWUZkB7WYvVPP+bcRF5/Iq7JWSb5Rw=
-github.com/aws/aws-sdk-go-v2 v1.32.7/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=
-github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.2 h1:K19T0ydEbAyKXb6azjJVCGke1xJ/fzOG8skUhrh8vyI=
-github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.2/go.mod h1:ezzhWuvK3dRgRtC9vvG9z1SaHq/POpD9BEfdXnpqkqs=
+github.com/aws/aws-sdk-go-v2 v1.33.0 h1:Evgm4DI9imD81V0WwD+TN4DCwjUMdc94TrduMLbgZJs=
+github.com/aws/aws-sdk-go-v2 v1.33.0/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=
+github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4 h1:zFglcUjphRYNX9++btAajm4lkFHUqEEFam6S9Pb73/U=
+github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.4/go.mod h1:8IYDBdfP7wR5P1hZ9WacHyV97Fnvrvbz/LvDjSOynKM=
 github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=
 github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -17,8 +17,8 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/golang/glog v1.2.3 h1:oDTdz9f5VGVVNGu/Q7UXKWYsD0873HXLHdJUNBsSEKM=
-github.com/golang/glog v1.2.3/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.4 h1:CNNw5U8lSiiBk7druxtSHHTsRWcxKoac6kZKm2peBBc=
+github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
@@ -63,14 +63,14 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
-github.com/sagikazarmark/locafero v0.6.0 h1:ON7AQg37yzcRPU69mt7gwhFEBwxI6P9T4Qu3N51bwOk=
-github.com/sagikazarmark/locafero v0.6.0/go.mod h1:77OmuIc6VTraTXKXIs/uvUxKGUXjE1GbemJYHqdNjX0=
+github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
+github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
-github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
-github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
+github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
+github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
 github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
 github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -91,8 +91,8 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 h1:1UoZQm6f0P/ZO0w1Ri+f+ifG/gXhegadRdwBIXEFWDo=
-golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -113,8 +113,8 @@ golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
@@ -147,5 +147,5 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8=
-k8s.io/client-go v0.32.0/go.mod h1:boDWvdM1Drk4NJj/VddSLnx59X3OPgwrOo0vGbtq9+8=
+k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
+k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
diff --git a/plugins/kube-bench-aggregator/version.txt b/plugins/kube-bench-aggregator/version.txt
@@ -1 +1 @@
-0.3.24
+0.3.25
diff --git a/plugins/kube-bench/CHANGELOG.md b/plugins/kube-bench/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## 0.5.7
+* Bumped docker image
+
 ## 0.5.6
 * Bumped libs version
 

diff --git a/plugins/kube-bench/Dockerfile b/plugins/kube-bench/Dockerfile
@@ -1,4 +1,4 @@
-FROM aquasec/kube-bench:v0.9.4
+FROM aquasec/kube-bench:v0.10.0
 
 ARG TARGETARCH
 ARG TARGETOS

diff --git a/plugins/kube-bench/version.txt b/plugins/kube-bench/version.txt
@@ -1 +1 @@
-0.5.6
+0.5.7