How are CVE's being handled

[gsfd2000]

Hi, when I upgrade my flux2 controllers I get sometimes vulnerability notifications from different trackers, e.g. trivy. Current new CRITICAL vulnerability popping up on last 1.7.x controller versions is for example: https://test.osv.dev/vulnerability/ALPINE-CVE-2025-58050.
My first step is then to take a look at the repo of the affected controller (here kustomize controller) to check if a newer release is covering that required update (normally it requires a small update on the used image base OS). I normally don't find any relevant information in the releases.
Then I look in the security advisories /etc and do not find anything as well.
Do you have a systemic process how CVEs are addressed in flux2 for the controllers? What did I oversee? I would think that you see them as well (vulnerability scanner in your CI pipelines) and that you check if this is a real threat and that you potentially try to close the gap in a upcoming release or not (if you decide it is not a real threat). Is it possible to get any visibility about this process or is that not desired/being covered at all? I do understand that gap closure does not work as for commercial packages like chainguard etc, but some high level gap closure process should be in place. Pls share with me your perspective/expectations, maybe I am expecting too much for an open source repository. What is the natural process for a user to check if a CVE has been closed/addressed or not? Thx in advance for your patience and help

[matheuscscp]

CVEs are patched in CNCF Flux as part of the development lifecycle, i.e. every quarter of the year we release a new minor release (2.x). That's when we patch CVEs in Flux upstream. CVEs in the Flux code or that actually affect Flux are patched immediately.

If you need a faster cadence, I suggest you to purchase a subscription of ControlPlane Enterprise for Flux CD, which gives you a 24h SLA for CVE patching, 24/7 support from Flux Core Maintainers, TAA consultancy, etc. The best support for Flux in the world. This is how you can make Flux sustainable. Do not buy Chainguard, they just leech OSS projects without giving anything back. Other OSS projects are also trying to survive from CVE patching, at least for those you should buy the images from the maintainers to make OSS sustainable. You can buy Chainguard images for unmaintained projects.