$ trivy image --severity HIGH,CRITICAL --scanners vuln telefonica/prometheus-kafka-adapter:1.9.1
2024-05-30T17:56:25-04:00 INFO Vulnerability scanning is enabled
2024-05-30T17:56:25-04:00 INFO Detected OS family="alpine" version="3.18.6"
2024-05-30T17:56:25-04:00 INFO [alpine] Detecting vulnerabilities... os_version="3.18" repository="3.18" pkg_num=15
2024-05-30T17:56:25-04:00 INFO Number of language-specific files num=1
2024-05-30T17:56:25-04:00 INFO [gobinary] Detecting vulnerabilities...
telefonica/prometheus-kafka-adapter:1.9.1 (alpine 3.18.6)
Total: 0 (HIGH: 0, CRITICAL: 0)
prometheus-kafka-adapter (gobinary)
Total: 4 (HIGH: 4, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH │ fixed │ v0.12.0 │ 0.17.0 │ golang: net/http, x/net/http2: rapid stream resets can cause │
│ │ │ │ │ │ │ excessive work (CVE-2023-44487) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │
├──────────────────┤ │ │ ├───────────────────┼──────────────────────────────────┤ │
│ stdlib │ │ │ │ 1.20.6 │ 1.20.10, 1.21.3 │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45283 │ │ │ │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\ │
│ │ │ │ │ │ │ prefix as... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45283 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45288 │ │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘
scan of build image with updated deps
$ trivy image --scanners vuln telefonica/prometheus-kafka-adapter:latest
2024-05-30T18:06:09-04:00 INFO Vulnerability scanning is enabled
2024-05-30T18:06:09-04:00 INFO Detected OS family="alpine" version="3.20.0"
2024-05-30T18:06:09-04:00 WARN This OS version is not on the EOL list family="alpine" version="3.20"
2024-05-30T18:06:09-04:00 INFO [alpine] Detecting vulnerabilities... os_version="3.20" repository="3.20" pkg_num=14
2024-05-30T18:06:09-04:00 INFO Number of language-specific files num=1
2024-05-30T18:06:09-04:00 INFO [gobinary] Detecting vulnerabilities...
telefonica/prometheus-kafka-adapter:latest (alpine 3.20.0)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
1.22.3
and usealpine:3.20
make update-vendor
CVE-2023-39325
,CVE-2023-45283
, andCVE-2023-45288
high severity vulnerbilitiesscan of current version
scan of build image with updated deps