If your private FOSSA installation does not use the security product (i.e. vulnerability scanning), or is managed by FOSSA (i.e. is hosted at a fossa.com domain), no action is required.
On Friday, February 25 2022, we discovered an issue with FOSSA v3.44.36 and later that prevents Over-The-Air (OTA) vulnerability updates from working. This is due to a change to the FOSSA database schema that is incompatible with the OTA vulnerability updater component. Private FOSSA installations running FOSSA v3.44.36 and later combined with Helm charts prior to v1.23.0 will not receive OTA vulnerability updates.
Helm charts starting from v1.23.0 will deploy a new version of the OTA vulnerability updater component that is resilient to these changes, and we do not expect this issue to occur again.
How can I tell if I'm affected?
You can check which Helm chart version you are on by running "helm ls -n fossa", where "fossa" is the namespace where your FOSSA installation is deployed to.
What do I need to do?
No matter which FOSSA version you have deployed, please upgrade to Helm chart v1.23.0 or later to ensure vulnerabilities are being updated. This is important to ensure FOSSA can notify your users of any newly released 0-day vulnerabilities that might be discovered.
If for some reason you cannot upgrade the Helm charts directly, you can upgrade the OTA vulnerability update component on its own, which will also resolve the issue. As of today, this can be done by setting the vulns.updater.image.tag value to master-fa78478.
How can I verify OTA updates are working?
You can manually run an OTA update job by executing:
kubectl create job --from=cronjob/${namespace}-vulns-updater vulns-updater-manual-1
where ${namespace} is the Kubernetes namespace that your FOSSA installation is deployed to. If OTA updates are not working, the pod status will change to "failed" after a few minutes:
kubectl get pods | grep vulns-updater-manual-1
Comments
0 comments
Article is closed for comments.