CVEs in 0.10.7 image

[ryanh-orca]

Hi, The following CVEs exist 0.10.7 image. Can you please patch them?

GHSA-4xcv-9jjx-gfj3	MEDIUM	mem-1.1.0	1.1.0	4.0.0
CVE-2024-3651	MEDIUM	idna-3.6	3.6	3.7
CVE-2024-28085	MEDIUM	bsdutils,libblkid1,libblkid-dev,libmount1,libmount-dev,libsmartcols1,libuuid1,mount,util-linux,util-linux-extra,uuid-dev	2.38.1-5+b1	2.38.1-5+deb12u1
CVE-2024-21503	MEDIUM	black-23.12.0	23.12.0	24.3.0
GHSA-g95f-p29q-9xw4	LOW	braces-1.8.5	1.8.5	2.3.1

[danihodovic]

Could you upgrade the dependencies with poetry and submit a pull-request?

[ryanh-orca]

Hi, can I have permission to do the PR? `[devenvx2] ~/s/celery-exporter ❯❯❯ git push --set-upstream origin patching-cves ✘ 128 patching-cves ERROR: Permission to danihodovic/celery-exporter.git denied to ryanh-orca. fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists. [devenvx2] ~/s/celery-exporter ❯❯❯`

[danihodovic]

You will have to fork the repository and submit a PR.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request

[ryanh-orca]

https://github.com/danihodovic/celery-exporter/pull/311

I can't upgrade mem and braces packages for https://github.com/advisories/GHSA-4xcv-9jjx-gfj3 and https://github.com/advisories/GHSA-g95f-p29q-9xw4. Hitting "Because prometheus-exporter-celery depends on mem (^4.0.0) which doesn't match any versions, version solving failed."

Can you please help to patch these 2 packages?

[danihodovic]

Where are you getting the list of CVEs from?

I've merged your PR and made another batch of dependency updates in #312. I've released it as v0.10.8

[ryanh-orca]

Hi, we are getting the list of the CVEs from our vulnerability scanners. For this v0.10.8 image, all CVEs are cleared except for GHSA-4xcv-9jjx-gfj3 and the affected package is: /app/package-lock.json

-rw-r--r-- 1 root root 178511 Jan 14 16:38 package-lock.json -rw-r--r-- 1 root root 128 Jan 14 16:38 package.json

Can you please help to upgrade the mem package to 4.0 version? or tell me how to do it?

[danihodovic]

The dockerfile doesn't have any Nodejs process in it. It seems like it's copied from my local machine. I can remove it from the image, but I don't think there is any security problem present. I think it's there because I tried to run all-contributors to generate contributors avatars in the README.

[ryanh-orca]

Can you please remove them? We really appreciate it.

[danihodovic]

Is it to check the box for your vulnerability software or is this an actual vulnerability?

[ryanh-orca]

If this package is installed as it's shown in the package-lock.json, then it is an actual vulnerability.

[danihodovic]

The package is never installed. There is node Nodejs process in the image. https://github.com/danihodovic/celery-exporter/blob/master/Dockerfile

[ryanh-orca]

Thanks for the confirmation. We will mark it as FP in our scanner.

[danihodovic]

The package.json and package-lock.json will be removed from the Docker image in the next release, but I'm too lazy to make a release now when no code has been merged since the last release.