Hi Anandi,

Removed private@ from the response. Copied in dev@ as this is not something we
need to do in private.

The remediation work has been taking place over the last weeks in the
master branch.
Please check the current master branch for all these remediations. It
includes moving
to later versions of Golang, node-js and angular and lots of dependency updates.
It would be good to find out if anything was missed in that remediation effort.

A change of K8s version is in progress [1]. As is the update for the
recently announced
golang.org/x/* vulnerabilities [2].

The YuniKorn 1.9.0 release is being cut soon from the master branch
which contains
all the remedations and further bug fixes.
Questions:
- is waiting for 1.9.0 an option?
- does the community want a 1.8.x release and who is going to step up as the
  release manager for that release?

Wilfred

[1] https://issues.apache.org/jira/browse/YUNIKORN-3211
[2] https://issues.apache.org/jira/browse/YUNIKORN-3283


On Fri, 29 May 2026 at 10:39, Anadi Azure <[email protected]> wrote:
>
> Hello YuniKorn Maintainers,
>
> I performed a container security assessment of the following upstream images:
>
> apache/yunikorn:web-1.8.0
>
> apache/yunikorn:scheduler-1.8.0
>
> During the assessment, I identified multiple vulnerabilities associated 
> primarily with:
>
> Go standard library components
>
> older Go toolchain/runtime versions
>
> outdated dependency patch levels (scheduler image)
>
> I performed local remediation and validation work to evaluate whether the 
> vulnerabilities could be addressed while preserving runtime compatibility and 
> deployment behavior.
>
> Summary of observations:
>
> Web image (apache/yunikorn:web-1.8.0)
>
> vulnerabilities were eliminated by rebuilding the existing upstream source 
> revision using a newer Go toolchain
>
> no application logic modifications were required
>
> runtime behavior and image structure remained compatible during validation
>
> Scheduler image (apache/yunikorn:scheduler-1.8.0)
>
> remediation involved Go toolchain modernization and dependency updates
>
> runtime compatibility and Kubernetes deployment validation were successful 
> during local testing
>
> vulnerability scans reported zero remaining findings after rebuild
>
> Validation included:
>
> Trivy rescanning
>
> Grype rescanning
>
> image structure comparison
>
> runtime startup validation
>
> Kubernetes deployment verification
>
> I prepared detailed technical comparison/remediation reports for both images 
> and would be happy to share them if useful.
>
> Before preparing any public Jira tickets or pull requests, I wanted to ask:
>
> whether the 1.8.x line is still accepting security-related maintenance work
>
> what remediation scope would be preferred by maintainers
>
> whether you would prefer public Jira discussion or coordinated review first
>
> I would be happy to contribute remediation PRs following project guidance.
>
> PS remediated images pushed to DockerHub and made available under below paths:
>
> https://hub.docker.com/layers/anadiazure/yunikorn-scheduler-rem/1.8.1/images/sha256-ff350ba78e5957efbeb66f93c2d65180646e8e55c7b453986eca562e77e61d16
>
> https://hub.docker.com/layers/anadiazure/yunikorn-web-rem/1.8.1/images/sha256-b52613d4f782001ee3cfc8302100ef0d5c1880df99e67f2b4c2565771e19e440
>
> Regards,
> Anadi Mayank Kasaundhan
>
> +91 8099066820

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to