search

grafana / xk6-sql

k6 extension to load test RDBMSs (PostgreSQL, MySQL, MS SQL and SQLite3)
Apache License 2.0
107 stars 57 forks source link

High vulnerability from trivy scan in Docker image #42

Closed dotdak closed 1 year ago

dotdak commented 1 year ago

Hi team,

I am finding an image k6 with sql support and get here. I built a docker image myself using your Dockerfile and tried scan vulnerability using trivy. I got this:

usr/bin/k6 (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0) Library Vulnerability Severity Installed Version Fixed Version Title
golang.org/x/net CVE-2022-41721 HIGH v0.0.0-20221002022538-bcab6841153b 0.1.1-0.20221104162952-702349b0e862 request smuggling https://avd.aquasec.com/nvd/cve-2022-41721
CVE-2022-41723 0.7.0 avoid quadratic complexity in HPACK decoding https://avd.aquasec.com/nvd/cve-2022-41723
CVE-2022-41717 MEDIUM 0.4.0 excessive memory growth in a Go server accepting HTTP/2 requests https://avd.aquasec.com/nvd/cve-2022-41717

I proposed a temporary fix on this PR-43

javaducky commented 1 year ago

@dotdak, thank you so very much for bringing this issue to our attention! 🙏