Fix CLI CVEs
Fix all vulnerabilities in the Okteto CLI Docker image using systematic vulnerability scanning and remediation.
CONTEXT
- •The source code and Dockerfile for this image are in this repository
- •The Dockerfile includes multiple binaries: kubectl, helm, kustomize, git, syncthing, and the Okteto CLI itself
- •Go dependencies for the Okteto CLI binary are in
go.modandgo.sum - •Go dependencies for internal tools (remote, supervisor, clean) are in
tools/go.modandtools/go.sum - •Binary versions are defined as ARG variables at the top of the Dockerfile (lines 3-18)
- •Internal tools (remote, supervisor, clean) are built from source in the
tools-builderstage - •Focus on CRITICAL and HIGH severity vulnerabilities first, then address medium/low as needed
WORKFLOW
1. Build and Scan Process
- •Build the image:
docker build -t okteto-cli:test .(do not use--no-cacheunless necessary) - •Scan for vulnerabilities:
trivy image --severity CRITICAL,HIGH okteto-cli:test - •For full scan:
trivy image okteto-cli:test - •Analyze scan results to identify specific packages and CVEs that need attention
2. Generate CVE Summary Table
Before attempting any fixes, create a summary table showing the current state:
## CVE Summary | Binario | CVEs HIGH | CVEs CRITICAL | Estado | | ----------------------- | --------- | ------------- | ---------------------- | | syncthing | X | Y | ✅/⚠️/❌ [Description] | | kustomize | X | Y | ✅/⚠️/❌ [Description] | | kubectl | X | Y | ✅/⚠️/❌ [Description] | | helm/helm3/helm4 | X | Y | ✅/⚠️/❌ [Description] | | okteto | X | Y | ✅/⚠️/❌ [Description] | | git | X | Y | ✅/⚠️/❌ [Description] | | clean/remote/supervisor | X | Y | ✅/⚠️/❌ [Description] | Total: X CRITICAL, Y HIGH
Status indicators:
- •✅ Clean - No vulnerabilities
- •⚠️ Warning - False positive or minor issue
- •❌ Action needed - Real CVEs requiring fixes
Then list each CVE found with details:
- •CVE ID
- •Component and version
- •Vulnerability description
- •Fixed version available
- •Impact/severity
3. Vulnerability Remediation
- •Repeat the build and scan process after each set of changes
- •Continue until all CRITICAL and HIGH vulnerabilities are resolved or you cannot fix more CVEs
Version update policy:
- •Patch updates (v1.2.3 → v1.2.4): Apply automatically
- •Minor updates (v1.2.3 → v1.3.0): Ask user for confirmation before updating
- •Major updates (v1.x → v2.x): Ask user for confirmation before updating
For Dockerfile binaries (kubectl, helm, kustomize, git, etc.):
- •Check release pages for available versions:
- •Update version ARG at top of Dockerfile (e.g.,
ARG KUBECTL_VERSION=1.34.5) - •Follow version update policy above
For Go dependencies (okteto binary):
- •Update to specific patched version:
go get -u <module>@<patch-version> - •Clean up:
go mod tidy - •Follow version update policy above
For internal tools (remote, supervisor, clean):
- •Tools are built from source in
tools/directory - •Update Go dependencies in
tools/go.mod:cd tools && go get -u <module>@<patch-version> - •Clean up:
cd tools && go mod tidy - •Run tools tests:
cd tools && make test - •Follow version update policy above
4. Functionality Verification
Once vulnerabilities are fixed, verify the CLI still works correctly:
- •Run CLI unit tests:
make test - •Run CLI linting:
make lint - •Run tools tests:
cd tools && make test - •Run tools linting:
cd tools && make lint - •Test the Docker image:
docker run okteto-cli:test version
IMPORTANT CONSTRAINTS
- •kubectl maintenance: Keep
kubectlupdated to latest patch of max minor Kubernetes version supported by Okteto - •kubectl preservation: Never remove
kubectlfrom the image - it's required for functionality - •Breaking changes: Some updates may break compatibility - test thoroughly
- •Binary compatibility: Ensure all binaries work on the Alpine/BusyBox base image
PULL REQUEST REQUIREMENTS
If you did any change, create a PR for vulnerability fixes:
Required Labels
- •
area/security
Required Content
- •
Clear status statement: First line must clearly state whether ALL CRITICAL/HIGH vulnerabilities have been fixed or not
- •
Before/after scans: Include trivy scan results before and after changes using:
codetrivy image --severity CRITICAL,HIGH okteto-cli:test
- •
Summary of changes: List specific updates (e.g., "kubectl 1.34.3 → 1.35.0", "github.com/foo/bar v1.2.3 → v1.2.4")
Commit Message Format
fix: update vulnerable dependencies - Update kubectl from 1.34.3 to 1.35.0 (fixes CVE-2024-XXXXX) - Update github.com/example/module from v1.2.3 to v1.2.4 (fixes CVE-2024-YYYYY) Resolves X CRITICAL and Y HIGH severity vulnerabilities. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>