AWS secuiry scans Critical CVE-2021-3538 - github.com/satori/go.uuid

[kannamr]

Which component are you using?: Cluster-autoscaler

Cluster-autoscaler

What version of the component are you using?: 1.25.1, 1.26.2

Component version: 1.25.1

What k8s version are you using (kubectl version)?: 1.25.8

kubectl version Output

$ kubectl version: 1.25.8

What environment is this in?: KOPS

What did you expect to happen?: I want 0 vulnerabilities in the AWS scans

What happened instead?: the scans show 1 Critical and 1 Medium

[Shubham82]

At present github.com/satori/go.uuid is used only in alicloud provider. It is used in the sdk package of it, see this: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/alicloud/alibaba-cloud-sdk-go/sdk/utils/utils.go#L38

So we have to fix it there. Previously it was also in magnum and kamatera cloud providers but it was resolved for them. Here is the issue: #5218. and lots of other issues previously opened for it but closed now due to no work. Here are the following issues: #4715 and #4068.

[Shubham82]

cc @ringtail @IrisIris
PTAL!

[Shubham82]

Hi @ringtail @IrisIris

Could you please take a look?

[ringtail]

@Shubham82 sure. @IrisIris is working on it.

[Shubham82]

@Shubham82 sure. @IrisIris is working on it.

Thanks @ringtail for the information

[Shubham82]

The corresponding PR #5749 is closed with the comment.

So closing this issue, please reopen it if it is still needed.

[Shubham82]

/close

[k8s-ci-robot]

@Shubham82: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.