Reporting vulnerability in influxdb:1.8.10-alpine

[anshulgangrade]

Name and Version influxdb:1.8.10-alpine

What steps will reproduce the bug? Posting it here as i could not report the security vulnerability as an issue due to the policy.

We are running trivy scan to find out vulnerabilities in influxdb container. We see that alpine have low severity for 2 packages but there are many CVE's reported on golang librariesas below. Please suggest how to fix it?

trivy image --format template --template "@contrib/html.tpl" -o influxdb-alpine_report.html influxdb:1.8.10-alpine --ignore-unfixed

What is the expected behavior? $ trivy image influxdb:1.8.10-alpine --ignore-unfixed Attached is the pdf report. Expected behavior is to have 0 vulnerability. influxdb_1.8.10-alpine.pdf

Additional information how to remediate the CVEs reported

[jdstrand]

Thank you for your report.

We are running trivy scan to find out vulnerabilities in influxdb container. We see that alpine have low severity for 2 packages but there are many CVE's reported on golang libraries as below.

I have locally generated and looked at the trivy report and while it's true that it lists a number of issues, keep in mind:

• while the alpine base image is older, influxdb itself is a statically linked golang program and will not use system libraries (other than libc with 1.8 OSS container builds) or other software from the alpine base image
• the non-compiler/non-stdlib golang dependency issues do not affect the influxd binary for various reasons (code not used, code not imported, code not used in an affected way, affected code not under attacker control, etc). trivy also had a few false positives in this area
• many of the golang compiler/stdlib issues do not affect the influxd binary (eg, code not used, code not imported, Windows-only, compiler-only, not under attacker control, etc)

All that said, there are a few open golang stdlib issues. While InfluxDB 1.8 OSS is still supported, it is in deep maintenance and currently receives updates for serious security issues and none of the open issues are serious within the context of the influxd binary. InfluxData closely follows security alerts across its product line (including InfluxDB 1.8 OSS) and if/when a serious issue comes up that affects 1.8, we'll release a new InfluxDB 1.8.11 OSS version built with an up to date golang compiler and/or release a new container build.

[anshulgangrade]

@jdstrand Thanks for the comments. However, our cybersecurity assessment on vulnerabilities scans fails and we cannot deploy this in our cluster. Can we have a new release for influxdb with the updated libraries?
Appreciate your help with this :)