Alloy image needs updating to address several CVEs

[earimont-ib]

What's wrong?

Alloy image has several CVE vulnerabilities

Medium

CVE-2020-22916 CVE-2024-2236

Low

CVE-2016-2781

CVE-2022-3219

CVE-2023-7008 CVE-2023-29383

CVE-2024-4741 CVE-2024-2511 CVE-2024-4603

Steps to reproduce

Scan image using

• Harbor https://goharbor.io/docs/2.0.0/install-config/
• Docker with Anchore extention

System information

Linux 5.10.223-212.873.amzn2

Software version

Grafana Alloy v1.3.1 and above

Configuration

No response

Logs

grype grafana/alloy:v1.5.0
 ✔ Parsed image                                                                                               sha256:52f4e2de4272eb2fa3e9c1bfa61bdf913f0c1a59f9f32c9d56818fd812f4b79c
 ✔ Cataloged contents                                                                                                5b43cb4069675c3bf83bee8967403ce9de005a4f716eea3483e9af6197433ff1
   ├── ✔ Packages                        [870 packages]
   ├── ✔ File digests                    [2,909 files]
   ├── ✔ File metadata                   [2,909 locations]
   └── ✔ Executables                     [724 executables]
 ✔ Scanned for vulnerabilities     [18 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 9 medium, 7 low, 2 negligible
   └── by status:   1 fixed, 17 not-fixed, 0 ignored

NAME                          INSTALLED          FIXED-IN  TYPE       VULNERABILITY        SEVERITY
coreutils                     9.4-3ubuntu6                 deb        CVE-2016-2781        Low
github.com/golang-jwt/jwt/v4  v4.5.0             4.5.1     go-module  GHSA-29wx-vh33-7x7r  Low
gpgv                          2.4.4-2ubuntu17              deb        CVE-2022-3219        Low
libc-bin                      2.39-0ubuntu8.3              deb        CVE-2016-20013       Negligible
libc6                         2.39-0ubuntu8.3              deb        CVE-2016-20013       Negligible
libgcrypt20                   1.10.3-2build1               deb        CVE-2024-2236        Medium
libpam-modules                1.5.3-5ubuntu5.1             deb        CVE-2024-10963       Medium
libpam-modules                1.5.3-5ubuntu5.1             deb        CVE-2024-10041       Medium
libpam-modules-bin            1.5.3-5ubuntu5.1             deb        CVE-2024-10963       Medium
libpam-modules-bin            1.5.3-5ubuntu5.1             deb        CVE-2024-10041       Medium
libpam-runtime                1.5.3-5ubuntu5.1             deb        CVE-2024-10963       Medium
libpam-runtime                1.5.3-5ubuntu5.1             deb        CVE-2024-10041       Medium
libpam0g                      1.5.3-5ubuntu5.1             deb        CVE-2024-10963       Medium
libpam0g                      1.5.3-5ubuntu5.1             deb        CVE-2024-10041       Medium
libssl3t64                    3.0.13-0ubuntu3.4            deb        CVE-2024-9143        Low
libssl3t64                    3.0.13-0ubuntu3.4            deb        CVE-2024-41996       Low
openssl                       3.0.13-0ubuntu3.4            deb        CVE-2024-9143        Low
openssl                       3.0.13-0ubuntu3.4            deb        CVE-2024-41996       Low```

[github-actions[bot]]

This issue has not had any activity in the past 30 days, so the needs-attention label has been added to it. If the opened issue is a bug, check to see if a newer release fixed your issue. If it is no longer relevant, please feel free to close this issue. The needs-attention label signals to maintainers that something has fallen through the cracks. No action is needed by you; your issue will be kept open and you do not have to respond to this comment. The label will be removed the next time this job runs if there is new activity. Thank you for your contributions!

[earimont-ib]

Any updates here? Unable to move into Production because of the CVEs. Thank you.

[mattdurham]

We only actively resolve high and critical. Some of these will resolve themselves as we update the underlying image.