search

Telefonica / prometheus-kafka-adapter

Use Kafka as a remote storage database for Prometheus (remote write only)
Apache License 2.0
364 stars 135 forks source link

Numerous CVEs reported on prometheus-kafka-adapter #109

Closed nityavyas closed 1 year ago

nityavyas commented 1 year ago

Hello,

There are many CVEs that Twistlock scanner is reporting on image of prometheus-kafka-adapter. Here is the list.

https://nvd.nist.gov/vuln/detail/CVE-2022-37434 https://nvd.nist.gov/vuln/detail/CVE-2022-23806 https://nvd.nist.gov/vuln/detail/CVE-2018-25032 https://nvd.nist.gov/vuln/detail/CVE-2022-0778 https://nvd.nist.gov/vuln/detail/CVE-2022-28391 https://nvd.nist.gov/vuln/detail/CVE-2022-0778 https://nvd.nist.gov/vuln/detail/CVE-2020-29652 https://nvd.nist.gov/vuln/detail/CVE-2022-32189 https://nvd.nist.gov/vuln/detail/CVE-2022-30631 https://nvd.nist.gov/vuln/detail/CVE-2022-28327 https://nvd.nist.gov/vuln/detail/CVE-2022-24675 https://nvd.nist.gov/vuln/detail/CVE-2022-30580 https://nvd.nist.gov/vuln/detail/CVE-2022-30633 https://nvd.nist.gov/vuln/detail/CVE-2022-23772 https://nvd.nist.gov/vuln/detail/CVE-2022-30635 https://nvd.nist.gov/vuln/detail/CVE-2022-30632 https://nvd.nist.gov/vuln/detail/CVE-2022-28131 https://nvd.nist.gov/vuln/detail/CVE-2022-2879 https://nvd.nist.gov/vuln/detail/CVE-2022-2880 https://nvd.nist.gov/vuln/detail/CVE-2022-30630 https://nvd.nist.gov/vuln/detail/CVE-2022-27664 https://nvd.nist.gov/vuln/detail/CVE-2022-41715 https://nvd.nist.gov/vuln/detail/CVE-2022-24921 https://nvd.nist.gov/vuln/detail/CVE-2022-23773  https://nvd.nist.gov/vuln/detail/CVE-2023-0215 https://nvd.nist.gov/vuln/detail/CVE-2022-4304 https://nvd.nist.gov/vuln/detail/CVE-2022-4450 https://nvd.nist.gov/vuln/detail/CVE-2023-0286 https://nvd.nist.gov/vuln/detail/CVE-2022-30629 https://nvd.nist.gov/vuln/detail/CVE-2022-2097 https://nvd.nist.gov/vuln/detail/CVE-2021-4160 https://nvd.nist.gov/vuln/detail/CVE-2022-1962 https://nvd.nist.gov/vuln/detail/CVE-2022-41717 https://pkg.go.dev/vuln/GO-2022-1095 https://nvd.nist.gov/vuln/detail/CVE-2022-32148 https://nvd.nist.gov/vuln/detail/CVE-2022-1705

Can I please ask for fixes for these with latest version and timeline for the same? Would appreciate quick response in this matter. Thank you!

palmerabollo commented 1 year ago

Hi @nityavyas, thanks for raising it. This is an open source project, do you feel like contributing? Some of them could be easily fixed by bumping the dependencies and the go version.

johnseekins commented 1 year ago

119 should address a lot of these.

palmerabollo commented 1 year ago

119 has been just merged. I'll publishing a new 1.9.0 release soon. I'm closing this issue. @nityavyas it would be great if you could repeat the security scan against the new docker image.