okteto/fix-cves

Fix CLI CVEs

Fix all vulnerabilities in the Okteto CLI Docker image using systematic vulnerability scanning and remediation.

CONTEXT

• The source code and Dockerfile for this image are in this repository
• The Dockerfile includes multiple binaries: kubectl, helm, kustomize, git, syncthing, and the Okteto CLI itself
• Go dependencies for the Okteto CLI binary are in go.mod and go.sum
• Go dependencies for internal tools (remote, supervisor, clean) are in tools/go.mod and tools/go.sum
• Binary versions are defined as ARG variables at the top of the Dockerfile (lines 3-18)
• Internal tools (remote, supervisor, clean) are built from source in the tools-builder stage
• Focus on CRITICAL and HIGH severity vulnerabilities first, then address medium/low as needed

WORKFLOW

1. Build and Scan Process

• Build the image: docker build -t okteto-cli:test . (do not use --no-cache unless necessary)
• Scan for vulnerabilities: trivy image --severity CRITICAL,HIGH okteto-cli:test
• For full scan: trivy image okteto-cli:test
• Analyze scan results to identify specific packages and CVEs that need attention

2. Generate CVE Summary Table

Before attempting any fixes, create a summary table showing the current state:

## CVE Summary

| Binario                 | CVEs HIGH | CVEs CRITICAL | Estado                 |
| ----------------------- | --------- | ------------- | ---------------------- |
| syncthing               | X         | Y             | ✅/⚠️/❌ [Description] |
| kustomize               | X         | Y             | ✅/⚠️/❌ [Description] |
| kubectl                 | X         | Y             | ✅/⚠️/❌ [Description] |
| helm/helm3/helm4        | X         | Y             | ✅/⚠️/❌ [Description] |
| okteto                  | X         | Y             | ✅/⚠️/❌ [Description] |
| git                     | X         | Y             | ✅/⚠️/❌ [Description] |
| clean/remote/supervisor | X         | Y             | ✅/⚠️/❌ [Description] |

Total: X CRITICAL, Y HIGH

Status indicators:

• ✅ Clean - No vulnerabilities
• ⚠️ Warning - False positive or minor issue
• ❌ Action needed - Real CVEs requiring fixes

Then list each CVE found with details:

• CVE ID
• Component and version
• Vulnerability description
• Fixed version available
• Impact/severity

3. Vulnerability Remediation

• Repeat the build and scan process after each set of changes
• Continue until all CRITICAL and HIGH vulnerabilities are resolved or you cannot fix more CVEs

Version update policy:

• Patch updates (v1.2.3 → v1.2.4): Apply automatically
• Minor updates (v1.2.3 → v1.3.0): Ask user for confirmation before updating
• Major updates (v1.x → v2.x): Ask user for confirmation before updating

For Dockerfile binaries (kubectl, helm, kustomize, git, etc.):

• Check release pages for available versions:
  • kubectl: https://github.com/kubernetes/kubernetes/releases
  • helm: https://github.com/helm/helm/releases
  • kustomize: https://github.com/kubernetes-sigs/kustomize/releases
  • git: https://mirrors.edge.kernel.org/pub/software/scm/git/
• Update version ARG at top of Dockerfile (e.g., ARG KUBECTL_VERSION=1.34.5)
• Follow version update policy above

For Go dependencies (okteto binary):

• Update to specific patched version: go get -u <module>@<patch-version>
• Clean up: go mod tidy
• Follow version update policy above

For internal tools (remote, supervisor, clean):

• Tools are built from source in tools/ directory
• Update Go dependencies in tools/go.mod: cd tools && go get -u <module>@<patch-version>
• Clean up: cd tools && go mod tidy
• Run tools tests: cd tools && make test
• Follow version update policy above

4. Functionality Verification

Once vulnerabilities are fixed, verify the CLI still works correctly:

• Run CLI unit tests: make test
• Run CLI linting: make lint
• Run tools tests: cd tools && make test
• Run tools linting: cd tools && make lint
• Test the Docker image: docker run okteto-cli:test version

IMPORTANT CONSTRAINTS

• kubectl maintenance: Keep kubectl updated to latest patch of max minor Kubernetes version supported by Okteto
• kubectl preservation: Never remove kubectl from the image - it's required for functionality
• Breaking changes: Some updates may break compatibility - test thoroughly
• Binary compatibility: Ensure all binaries work on the Alpine/BusyBox base image

PULL REQUEST REQUIREMENTS

If you did any change, create a PR for vulnerability fixes:

Required Labels

• area/security

Required Content

• Clear status statement: First line must clearly state whether ALL CRITICAL/HIGH vulnerabilities have been fixed or not

• Before/after scans: Include trivy scan results before and after changes using:

  trivy image --severity CRITICAL,HIGH okteto-cli:test
  

• Summary of changes: List specific updates (e.g., "kubectl 1.34.3 → 1.35.0", "github.com/foo/bar v1.2.3 → v1.2.4")

Commit Message Format

fix: update vulnerable dependencies

- Update kubectl from 1.34.3 to 1.35.0 (fixes CVE-2024-XXXXX)
- Update github.com/example/module from v1.2.3 to v1.2.4 (fixes CVE-2024-YYYYY)

Resolves X CRITICAL and Y HIGH severity vulnerabilities.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>