Image Request: Grafana upgrade to 9.5.13

IBM / ibm-z-oss-hub

Open source software hub for IBM Z

Apache License 2.0

8 stars 2 forks source link

Image Request: Grafana upgrade to 9.5.13 #132

Closed rvdheij closed 6 months ago

rvdheij commented 7 months ago

Software Name Grafana

Software Version 9.5.13 (to address CVE-2023-4822 with classification "high")

Software Value Beautiful popular dashboards.

Requestors Role Just verified that it builds with my Dockerfile (that I can share when necessary)

Please Note I also dropped some packages like `curl from the image because scanners were concerned about it. Also changed to not run as root as that's also considered bad practice.

JoshWisniewski00 commented 7 months ago

I have multiple customers who also rely on this dependency. Is there any update as to when this update will be made available?

JoshWisniewski00 commented 7 months ago

@jbostian, Please see question above.

jbostian commented 7 months ago

We'll take a look and estimate an update for this. I don't currently have a timeframe for an upgrade, but we'll try to get something soon.

JoshWisniewski00 commented 6 months ago

Hi @jbostian Any update? Thanks, Josh

rvdheij commented 6 months ago

If you're not afraid to take gifts from strangers, you might like this one docker pull rvdheij/grafana:9.5.13 Be aware that it runs the grafana process not as root anymore, so you may have to chown things in a persistent volume.

korpx-z commented 6 months ago

I just wanted to provide an update..

As of now, I have updated the unix libs/services in all currently hosted Grafana images on icr. Currently, the ICR vulnerability manager shows these images as having 0 security issues. With that said, I am aware that most (with few exceptions) versions of Grafana < 10.2.2 are deemed to be insecure when referencing the link attached to this issue.

I have been attempting to build version 10.2.2 but have found some minor issues when resolving dependencies needed for the javascript portion of the build process - which I am currently debugging. I am hopeful to upload a working 10.2.2 version of Grafana by the end of the week.

JoshWisniewski00 commented 6 months ago

Thank you for the update!

korpx-z commented 6 months ago

No problem! Grafana version 10.2.2 is now uploaded on icr icr.io/ibmz/grafana:10.2.2 Please reference our official index for the appropriate pull string that includes the sha256 value.

Thank you to @rvdheij for the pointers - you were very helpful!

I'll close this for now, but if there are any issues with the image feel free to reopen or create a new one.

JoshWisniewski00 commented 6 months ago

Thank you!