fix-cves

📁 okteto/okteto 📅 Today

总安装量

周安装量

安装命令

npx skills add https://github.com/okteto/okteto --skill fix-cves

Agent 安装分布

amp 1

cline 1

opencode 1

cursor 1

continue 1

kimi-cli 1

Skill 文档

Fix CLI CVEs

Fix all vulnerabilities in the Okteto CLI Docker image using systematic vulnerability scanning and remediation.

CONTEXT

The source code and Dockerfile for this image are in this repository
The Dockerfile includes multiple binaries: kubectl, helm, kustomize, git, syncthing, and the Okteto CLI itself
Go dependencies for the Okteto CLI binary are in go.mod and go.sum
Go dependencies for internal tools (remote, supervisor, clean) are in tools/go.mod and tools/go.sum
Binary versions are defined as ARG variables at the top of the Dockerfile (lines 3-18)
Internal tools (remote, supervisor, clean) are built from source in the tools-builder stage
Focus on CRITICAL and HIGH severity vulnerabilities first, then address medium/low as needed

WORKFLOW

1. Build and Scan Process

Build the image: docker build -t okteto-cli:test . (do not use --no-cache unless necessary)
Scan for vulnerabilities: trivy image --severity CRITICAL,HIGH okteto-cli:test
For full scan: trivy image okteto-cli:test
Analyze scan results to identify specific packages and CVEs that need attention

2. Generate CVE Summary Table

Before attempting any fixes, create a summary table showing the current state:

## CVE Summary

| Binario                 | CVEs HIGH | CVEs CRITICAL | Estado                 |
| ----------------------- | --------- | ------------- | ---------------------- |
| syncthing               | X         | Y             | â/â ï¸/â [Description] |
| kustomize               | X         | Y             | â/â ï¸/â [Description] |
| kubectl                 | X         | Y             | â/â ï¸/â [Description] |
| helm/helm3/helm4        | X         | Y             | â/â ï¸/â [Description] |
| okteto                  | X         | Y             | â/â ï¸/â [Description] |
| git                     | X         | Y             | â/â ï¸/â [Description] |
| clean/remote/supervisor | X         | Y             | â/â ï¸/â [Description] |

Total: X CRITICAL, Y HIGH

Status indicators:

â Clean – No vulnerabilities
â ï¸ Warning – False positive or minor issue
â Action needed – Real CVEs requiring fixes

Then list each CVE found with details:

CVE ID
Component and version
Vulnerability description
Fixed version available
Impact/severity

3. Vulnerability Remediation

Repeat the build and scan process after each set of changes
Continue until all CRITICAL and HIGH vulnerabilities are resolved or you cannot fix more CVEs

Version update policy:

Patch updates (v1.2.3 â v1.2.4): Apply automatically
Minor updates (v1.2.3 â v1.3.0): Ask user for confirmation before updating
Major updates (v1.x â v2.x): Ask user for confirmation before updating

For Dockerfile binaries (kubectl, helm, kustomize, git, etc.):

Check release pages for available versions:
- kubectl: https://github.com/kubernetes/kubernetes/releases
- helm: https://github.com/helm/helm/releases
- kustomize: https://github.com/kubernetes-sigs/kustomize/releases
- git: https://mirrors.edge.kernel.org/pub/software/scm/git/
Update version ARG at top of Dockerfile (e.g., ARG KUBECTL_VERSION=1.34.5)
Follow version update policy above

For Go dependencies (okteto binary):

Update to specific patched version: go get -u <module>@<patch-version>
Clean up: go mod tidy
Follow version update policy above

For internal tools (remote, supervisor, clean):

Tools are built from source in tools/ directory
Update Go dependencies in tools/go.mod: cd tools && go get -u <module>@<patch-version>
Clean up: cd tools && go mod tidy
Run tools tests: cd tools && make test
Follow version update policy above

4. Functionality Verification

Once vulnerabilities are fixed, verify the CLI still works correctly:

Run CLI unit tests: make test
Run CLI linting: make lint
Run tools tests: cd tools && make test
Run tools linting: cd tools && make lint
Test the Docker image: docker run okteto-cli:test version

IMPORTANT CONSTRAINTS

kubectl maintenance: Keep kubectl updated to latest patch of max minor Kubernetes version supported by Okteto
kubectl preservation: Never remove kubectl from the image – it’s required for functionality
Breaking changes: Some updates may break compatibility – test thoroughly
Binary compatibility: Ensure all binaries work on the Alpine/BusyBox base image

PULL REQUEST REQUIREMENTS

If you did any change, create a PR for vulnerability fixes:

Required Labels

area/security

Required Content

Clear status statement: First line must clearly state whether ALL CRITICAL/HIGH vulnerabilities have been fixed or not
Before/after scans: Include trivy scan results before and after changes using:
```
trivy image --severity CRITICAL,HIGH okteto-cli:test
```
Summary of changes: List specific updates (e.g., “kubectl 1.34.3 â 1.35.0”, “github.com/foo/bar v1.2.3 â v1.2.4”)

Commit Message Format

fix: update vulnerable dependencies

- Update kubectl from 1.34.3 to 1.35.0 (fixes CVE-2024-XXXXX)
- Update github.com/example/module from v1.2.3 to v1.2.4 (fixes CVE-2024-YYYYY)

Resolves X CRITICAL and Y HIGH severity vulnerabilities.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台