prometheus-kafka-adapter
prometheus-kafka-adapter copied to clipboard
Telefonica
update golang and vendor packages
- change go version to
1.22.3and usealpine:3.20 - ran
make update-vendor - resolves
CVE-2023-39325,CVE-2023-45283, andCVE-2023-45288high severity vulnerbilities- https://github.com/Telefonica/prometheus-kafka-adapter/issues/131
scan of current version
$ trivy image --severity HIGH,CRITICAL --scanners vuln telefonica/prometheus-kafka-adapter:1.9.12024-05-30T17:56:25-04:00 INFO Vulnerability scanning is enabled 2024-05-30T17:56:25-04:00 INFO Detected OS family="alpine" version="3.18.6" 2024-05-30T17:56:25-04:00 INFO [alpine] Detecting vulnerabilities... os_version="3.18" repository="3.18" pkg_num=15 2024-05-30T17:56:25-04:00 INFO Number of language-specific files num=1 2024-05-30T17:56:25-04:00 INFO [gobinary] Detecting vulnerabilities...
telefonica/prometheus-kafka-adapter:1.9.1 (alpine 3.18.6)
Total: 0 (HIGH: 0, CRITICAL: 0)
prometheus-kafka-adapter (gobinary)
Total: 4 (HIGH: 4, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2023-39325 │ HIGH │ fixed │ v0.12.0 │ 0.17.0 │ golang: net/http, x/net/http2: rapid stream resets can cause │ │ │ │ │ │ │ │ excessive work (CVE-2023-44487) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │ ├──────────────────┤ │ │ ├───────────────────┼──────────────────────────────────┤ │ │ stdlib │ │ │ │ 1.20.6 │ 1.20.10, 1.21.3 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45283 │ │ │ │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a ??\ │ │ │ │ │ │ │ │ prefix as... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45283 │ │ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45288 │ │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │ │ │ │ │ │ │ │ CONTINUATION frames causes DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │ └──────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘
scan of build image with updated deps
$ trivy image --scanners vuln telefonica/prometheus-kafka-adapter:latest2024-05-30T18:06:09-04:00 INFO Vulnerability scanning is enabled 2024-05-30T18:06:09-04:00 INFO Detected OS family="alpine" version="3.20.0" 2024-05-30T18:06:09-04:00 WARN This OS version is not on the EOL list family="alpine" version="3.20" 2024-05-30T18:06:09-04:00 INFO [alpine] Detecting vulnerabilities... os_version="3.20" repository="3.20" pkg_num=14 2024-05-30T18:06:09-04:00 INFO Number of language-specific files num=1 2024-05-30T18:06:09-04:00 INFO [gobinary] Detecting vulnerabilities...
telefonica/prometheus-kafka-adapter:latest (alpine 3.20.0)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
