When using Amazon Inspector, snyk finds 3 CVEs in images which contain the latest release of the Amazon Kinesis Agent dependencies. Be aware, VULN scanners are dumb and I have no evidence these vulnerabilities are currently exploitable given the way the agent uses those libraries. Furthermore, I have made no effort to confirm that one way or the other. Instead, I simply built a version of the agent which includes later versions of the dependencies which have addressed the known VULNs. One could argue the efficacy of that approach, but my primary intent is to increase the signal to noise ratio of my VULN scans by reducing noise.
Unfortunately, while there appear to be a set of unit/integration tests in the github repository, there are no instructions on how to run those tests. AFAICT they have not been updated for a couple years. So a series of questions:
- Are there instructions anywhere for how to run that test suite, and is there any confidence it still works?
- Is anyone else interested in helping me test this new build: https://github.com/britive/amazon-kinesis-agent or https://github.com/britive/amazon-kinesis-agent/raw/master/rpm/aws-kinesis-agent-2.0.6-1b.amzn2.noarch.rpm
Also see: https://github.com/awslabs/amazon-kinesis-agent/issues/242
Thanks
