From ec892d4dedc6c8d9e8c0142679b6dc7448a96c6d Mon Sep 17 00:00:00 2001 From: TrueCharts-Bot Date: Fri, 25 Feb 2022 14:23:56 +0000 Subject: [PATCH] Commit released Helm Chart and docs for TrueCharts Signed-off-by: TrueCharts-Bot --- charts/incubator/deemix/CHANGELOG.md | 1 - charts/incubator/deemix/security.md | 21 +++++++++------------ charts/library/common/CHANGELOG.md | 9 +++++++++ charts/library/common/helm-values.md | 6 ++++++ docs/apps/common/helm-values.md | 6 ++++++ docs/apps/incubator/deemix/CHANGELOG.md | 1 - docs/apps/incubator/deemix/security.md | 21 +++++++++------------ docs/index.yaml | 23 ++++++++++++++++++++++- 8 files changed, 61 insertions(+), 27 deletions(-) diff --git a/charts/incubator/deemix/CHANGELOG.md b/charts/incubator/deemix/CHANGELOG.md index 9f3a2d70fd3..969fcae6544 100644 --- a/charts/incubator/deemix/CHANGELOG.md +++ b/charts/incubator/deemix/CHANGELOG.md @@ -7,4 +7,3 @@ #### Feat * Add deemix ([#1933](https://github.com/truecharts/apps/issues/1933)) - diff --git a/charts/incubator/deemix/security.md b/charts/incubator/deemix/security.md index 7f05ac262a6..75c6b357467 100644 --- a/charts/incubator/deemix/security.md +++ b/charts/incubator/deemix/security.md @@ -12,9 +12,9 @@ hide: ##### Scan Results #### Chart Object: deemix/templates/common.yaml - - + + | Type | Misconfiguration ID | Check | Severity | Explaination | Links | |:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------| | Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM |
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'inotify' of Deployment 'RELEASE-NAME-deemix' should set 'securityContext.allowPrivilegeEscalation' to false
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
| @@ -51,11 +51,11 @@ hide: #### Container: tccr.io/truecharts/alpine:v3.14.2@sha256:4095394abbae907e94b1f2fd2e2de6c4f201a5b9704573243ca8eb16db8cdb7c (alpine 3.14.2) - + **alpine** - + | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| | busybox | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| @@ -83,11 +83,11 @@ hide: #### Container: tccr.io/truecharts/alpine:v3.14.2@sha256:4095394abbae907e94b1f2fd2e2de6c4f201a5b9704573243ca8eb16db8cdb7c (alpine 3.14.2) - + **alpine** - + | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| | busybox | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| @@ -115,11 +115,11 @@ hide: #### Container: tccr.io/truecharts/deemix:latest@sha256:cc770caa2f11b2e1b89129e17ebbbbb2533bd3e7c93303e52a072e1b3e471f70 (ubuntu 20.04) - + **ubuntu** - + | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| | bash | CVE-2019-18276 | LOW | 5.0-6ubuntu1.1 | |
Expand...http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276
https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff
https://linux.oracle.com/cve/CVE-2019-18276.html
https://linux.oracle.com/errata/ELSA-2021-1679.html
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
https://security.gentoo.org/glsa/202105-34
https://security.netapp.com/advisory/ntap-20200430-0003/
https://www.youtube.com/watch?v=-wGtxJ8opa8
| @@ -250,9 +250,6 @@ hide: **node-pkg** - + | No Vulnerabilities found | |:---------------------------------| - - - diff --git a/charts/library/common/CHANGELOG.md b/charts/library/common/CHANGELOG.md index 6e42471df87..5eb2041eaee 100644 --- a/charts/library/common/CHANGELOG.md +++ b/charts/library/common/CHANGELOG.md @@ -1,6 +1,15 @@ # Changelog
+ +### [common-8.17.1](https://github.com/truecharts/apps/compare/common-8.17.0...common-8.17.1) (2022-02-25) + +#### Fix + +* correctly disable host docker-compose ([#1964](https://github.com/truecharts/apps/issues/1964)) + + + ### [common-8.17.0](https://github.com/truecharts/apps/compare/common-8.16.1...common-8.17.0) (2022-02-24) diff --git a/charts/library/common/helm-values.md b/charts/library/common/helm-values.md index a5922a35ae5..0a2c4b78d70 100644 --- a/charts/library/common/helm-values.md +++ b/charts/library/common/helm-values.md @@ -153,6 +153,9 @@ This chart is used by a lot of our Apps to provide sane defaults and logic. | persistence.custom-mount.mountPath | string | `nil` | Where to mount the volume in the main container. Defaults to `/`, setting to '-' creates the volume but disables the volumeMount. | | persistence.custom-mount.readOnly | bool | `false` | Specify if the volume should be mounted read-only. | | persistence.custom-mount.volumeSpec | object | `{}` | Define the custom Volume spec here [[ref]](https://kubernetes.io/docs/concepts/storage/volumes/) | +| persistence.host-bin | object | See below | Hostpath mountpoint to allow mounting the /bin folder to disable docker-compose [[ref]]https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) TODO Delete this once iX has blocked docker-compose | +| persistence.host-bin.hostPath | string | `"/bin"` | Which path on the host should be mounted. | +| persistence.host-bin.mountPath | string | `"/host/bin"` | Where to mount the path in the main container. Defaults to the value of `hostPath` | | persistence.host-dev | object | See below | Example of a hostPath mount [[ref]]https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) | | persistence.host-dev.hostPath | string | `"/dev"` | Which path on the host should be mounted. | | persistence.host-dev.hostPathType | string | `""` | Specifying a hostPathType adds a check before trying to mount the path. See Kubernetes documentation for options. | @@ -165,6 +168,9 @@ This chart is used by a lot of our Apps to provide sane defaults and logic. | persistence.host-simple-dev.mountPath | string | `""` | Where to mount the path in the main container. Defaults to the value of `hostPath` | | persistence.host-simple-dev.readOnly | bool | `true` | Specify if the path should be mounted read-only. | | persistence.host-simple-dev.setPermissionsSimple | bool | `false` | Automatic set permissions using chown and chmod | +| persistence.host-usr-bin | object | See below | Hostpath mountpoint to allow mounting the /usr/bin folder to disable docker-compose [[ref]]https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) TODO Delete this once iX has blocked docker-compose | +| persistence.host-usr-bin.hostPath | string | `"/usr/bin"` | Which path on the host should be mounted. | +| persistence.host-usr-bin.mountPath | string | `"/host/usr/bin"` | Where to mount the path in the main container. Defaults to the value of `hostPath` | | persistence.secret-example | object | See below | Example of a secret mount | | persistence.secret-example.defaultMode | int | `777` | define the default mount mode for the secret | | persistence.secret-example.items | list | `[{"key":"username","path":"my-group/my-username"}]` | Define the secret items to be mounted | diff --git a/docs/apps/common/helm-values.md b/docs/apps/common/helm-values.md index a5922a35ae5..0a2c4b78d70 100644 --- a/docs/apps/common/helm-values.md +++ b/docs/apps/common/helm-values.md @@ -153,6 +153,9 @@ This chart is used by a lot of our Apps to provide sane defaults and logic. | persistence.custom-mount.mountPath | string | `nil` | Where to mount the volume in the main container. Defaults to `/`, setting to '-' creates the volume but disables the volumeMount. | | persistence.custom-mount.readOnly | bool | `false` | Specify if the volume should be mounted read-only. | | persistence.custom-mount.volumeSpec | object | `{}` | Define the custom Volume spec here [[ref]](https://kubernetes.io/docs/concepts/storage/volumes/) | +| persistence.host-bin | object | See below | Hostpath mountpoint to allow mounting the /bin folder to disable docker-compose [[ref]]https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) TODO Delete this once iX has blocked docker-compose | +| persistence.host-bin.hostPath | string | `"/bin"` | Which path on the host should be mounted. | +| persistence.host-bin.mountPath | string | `"/host/bin"` | Where to mount the path in the main container. Defaults to the value of `hostPath` | | persistence.host-dev | object | See below | Example of a hostPath mount [[ref]]https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) | | persistence.host-dev.hostPath | string | `"/dev"` | Which path on the host should be mounted. | | persistence.host-dev.hostPathType | string | `""` | Specifying a hostPathType adds a check before trying to mount the path. See Kubernetes documentation for options. | @@ -165,6 +168,9 @@ This chart is used by a lot of our Apps to provide sane defaults and logic. | persistence.host-simple-dev.mountPath | string | `""` | Where to mount the path in the main container. Defaults to the value of `hostPath` | | persistence.host-simple-dev.readOnly | bool | `true` | Specify if the path should be mounted read-only. | | persistence.host-simple-dev.setPermissionsSimple | bool | `false` | Automatic set permissions using chown and chmod | +| persistence.host-usr-bin | object | See below | Hostpath mountpoint to allow mounting the /usr/bin folder to disable docker-compose [[ref]]https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) TODO Delete this once iX has blocked docker-compose | +| persistence.host-usr-bin.hostPath | string | `"/usr/bin"` | Which path on the host should be mounted. | +| persistence.host-usr-bin.mountPath | string | `"/host/usr/bin"` | Where to mount the path in the main container. Defaults to the value of `hostPath` | | persistence.secret-example | object | See below | Example of a secret mount | | persistence.secret-example.defaultMode | int | `777` | define the default mount mode for the secret | | persistence.secret-example.items | list | `[{"key":"username","path":"my-group/my-username"}]` | Define the secret items to be mounted | diff --git a/docs/apps/incubator/deemix/CHANGELOG.md b/docs/apps/incubator/deemix/CHANGELOG.md index 9f3a2d70fd3..969fcae6544 100644 --- a/docs/apps/incubator/deemix/CHANGELOG.md +++ b/docs/apps/incubator/deemix/CHANGELOG.md @@ -7,4 +7,3 @@ #### Feat * Add deemix ([#1933](https://github.com/truecharts/apps/issues/1933)) - diff --git a/docs/apps/incubator/deemix/security.md b/docs/apps/incubator/deemix/security.md index 7f05ac262a6..75c6b357467 100644 --- a/docs/apps/incubator/deemix/security.md +++ b/docs/apps/incubator/deemix/security.md @@ -12,9 +12,9 @@ hide: ##### Scan Results #### Chart Object: deemix/templates/common.yaml - - + + | Type | Misconfiguration ID | Check | Severity | Explaination | Links | |:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------| | Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM |
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'inotify' of Deployment 'RELEASE-NAME-deemix' should set 'securityContext.allowPrivilegeEscalation' to false
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
| @@ -51,11 +51,11 @@ hide: #### Container: tccr.io/truecharts/alpine:v3.14.2@sha256:4095394abbae907e94b1f2fd2e2de6c4f201a5b9704573243ca8eb16db8cdb7c (alpine 3.14.2) - + **alpine** - + | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| | busybox | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| @@ -83,11 +83,11 @@ hide: #### Container: tccr.io/truecharts/alpine:v3.14.2@sha256:4095394abbae907e94b1f2fd2e2de6c4f201a5b9704573243ca8eb16db8cdb7c (alpine 3.14.2) - + **alpine** - + | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| | busybox | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| @@ -115,11 +115,11 @@ hide: #### Container: tccr.io/truecharts/deemix:latest@sha256:cc770caa2f11b2e1b89129e17ebbbbb2533bd3e7c93303e52a072e1b3e471f70 (ubuntu 20.04) - + **ubuntu** - + | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| | bash | CVE-2019-18276 | LOW | 5.0-6ubuntu1.1 | |
Expand...http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276
https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff
https://linux.oracle.com/cve/CVE-2019-18276.html
https://linux.oracle.com/errata/ELSA-2021-1679.html
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
https://security.gentoo.org/glsa/202105-34
https://security.netapp.com/advisory/ntap-20200430-0003/
https://www.youtube.com/watch?v=-wGtxJ8opa8
| @@ -250,9 +250,6 @@ hide: **node-pkg** - + | No Vulnerabilities found | |:---------------------------------| - - - diff --git a/docs/index.yaml b/docs/index.yaml index 68213c0f7f1..2745cd2899c 100644 --- a/docs/index.yaml +++ b/docs/index.yaml @@ -5837,6 +5837,27 @@ entries: - https://github.com/truecharts/apps/releases/download/collabora-online-9.0.20/collabora-online-9.0.20.tgz version: 9.0.20 common: + - apiVersion: v2 + appVersion: latest + created: "2022-02-25T14:23:55.591672522Z" + description: Function library for TrueCharts + digest: e558b5f3af742178dc54f2c207116e31a0bc85826d65d177ae261720dd2e1b6a + home: https://github.com/truecharts/apps/tree/master/charts/common + icon: https://avatars.githubusercontent.com/u/76400755 + keywords: + - truecharts + - library-chart + - common + kubeVersion: '>=1.16.0-0' + maintainers: + - email: info@truecharts.org + name: TrueCharts + url: https://truecharts.org + name: common + type: library + urls: + - https://github.com/truecharts/apps/releases/download/common-8.17.1/common-8.17.1.tgz + version: 8.17.1 - apiVersion: v2 appVersion: latest created: "2022-02-22T19:25:29.949684136Z" @@ -64696,4 +64717,4 @@ entries: urls: - https://github.com/truecharts/apps/releases/download/zwavejs2mqtt-9.0.24/zwavejs2mqtt-9.0.24.tgz version: 9.0.24 -generated: "2022-02-25T11:41:32.854830642Z" +generated: "2022-02-25T14:23:55.596696759Z"