Hi Anandi, Removed private@ from the response. Copied in dev@ as this is not something we need to do in private.
The remediation work has been taking place over the last weeks in the master branch. Please check the current master branch for all these remediations. It includes moving to later versions of Golang, node-js and angular and lots of dependency updates. It would be good to find out if anything was missed in that remediation effort. A change of K8s version is in progress [1]. As is the update for the recently announced golang.org/x/* vulnerabilities [2]. The YuniKorn 1.9.0 release is being cut soon from the master branch which contains all the remedations and further bug fixes. Questions: - is waiting for 1.9.0 an option? - does the community want a 1.8.x release and who is going to step up as the release manager for that release? Wilfred [1] https://issues.apache.org/jira/browse/YUNIKORN-3211 [2] https://issues.apache.org/jira/browse/YUNIKORN-3283 On Fri, 29 May 2026 at 10:39, Anadi Azure <[email protected]> wrote: > > Hello YuniKorn Maintainers, > > I performed a container security assessment of the following upstream images: > > apache/yunikorn:web-1.8.0 > > apache/yunikorn:scheduler-1.8.0 > > During the assessment, I identified multiple vulnerabilities associated > primarily with: > > Go standard library components > > older Go toolchain/runtime versions > > outdated dependency patch levels (scheduler image) > > I performed local remediation and validation work to evaluate whether the > vulnerabilities could be addressed while preserving runtime compatibility and > deployment behavior. > > Summary of observations: > > Web image (apache/yunikorn:web-1.8.0) > > vulnerabilities were eliminated by rebuilding the existing upstream source > revision using a newer Go toolchain > > no application logic modifications were required > > runtime behavior and image structure remained compatible during validation > > Scheduler image (apache/yunikorn:scheduler-1.8.0) > > remediation involved Go toolchain modernization and dependency updates > > runtime compatibility and Kubernetes deployment validation were successful > during local testing > > vulnerability scans reported zero remaining findings after rebuild > > Validation included: > > Trivy rescanning > > Grype rescanning > > image structure comparison > > runtime startup validation > > Kubernetes deployment verification > > I prepared detailed technical comparison/remediation reports for both images > and would be happy to share them if useful. > > Before preparing any public Jira tickets or pull requests, I wanted to ask: > > whether the 1.8.x line is still accepting security-related maintenance work > > what remediation scope would be preferred by maintainers > > whether you would prefer public Jira discussion or coordinated review first > > I would be happy to contribute remediation PRs following project guidance. > > PS remediated images pushed to DockerHub and made available under below paths: > > https://hub.docker.com/layers/anadiazure/yunikorn-scheduler-rem/1.8.1/images/sha256-ff350ba78e5957efbeb66f93c2d65180646e8e55c7b453986eca562e77e61d16 > > https://hub.docker.com/layers/anadiazure/yunikorn-web-rem/1.8.1/images/sha256-b52613d4f782001ee3cfc8302100ef0d5c1880df99e67f2b4c2565771e19e440 > > Regards, > Anadi Mayank Kasaundhan > > +91 8099066820 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
