CVE-2024-45337 in v1.32.0 cluster-autoscaler and request for OpenVex doc

[johnelliottwizio]

Which component are you using?:
cluster-autoscaler v1.32.0

/area cluster-autoscaler
What version of the component are you using?:
1.32.0

Component version:
1.32.0
What k8s version are you using (kubectl version)?:
v1.29.2

kubectl version Output

$ kubectl version

What environment is this in?:
prod

eks, aks, gke , oke
What did you expect to happen?:
nothing

We know that CVE-2024-45337 , a vuln effecting SSH server behavior , is not relevant for cluster-autoscaler and has been present in last few releases but golang.org/x/crypto version will trigger most vuln scanners requiring security teams to document/explain/create exclusion list in their tools.

The CVE is categorized as Critical by NVD but NVD severity levels are from the perspective of a perfect situation with no context , vendor severities will often lower the severity to whatever is appropriate for the given OS/tool that is effected. Many vuln scanners used in CI systems are still tied to NVD severity when looking at CVE causing failures in builds when criticals are detected.

Anyway, is it possible to consider using openvex document which can be ingested by some scanners to ignore certain vulns if they have been verified as to be false positive , no impact etc . Some kubernetes-sigs repo seem to be using the templates already.

The other option is upgrade crypto version but I'm thinking longer term here.

What happened instead?:

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?: