Vulnerabilities in Chaos-Operator Docker Image

Is this a BUG REPORT or FEATURE REQUEST?

Choose one: BUG REPORT or FEATURE REQUEST It's a BUG REPORT for chaos-operator

What happened: I performed a Trivy scan on the chaos-operator Docker image and discovered multiple vulnerabilities in the golang.org/x/net library.

How to reproduce it (as minimally and precisely as possible): Perform a Trivy scan on the chaos-operator Docker image using the latest available version.

Anything else we need to know?:

┌──────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬─────────────────────────────────────┬─────────────────────────────────────────────────────────┐
│     Library      │    Vulnerability    │ Severity │         Installed Version          │            Fixed Version            │                          Title                          │
├──────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-41721      │ HIGH     │ v0.0.0-20220906165146-f3363e06e74c │ 0.1.1-0.20221104162952-702349b0e862 │ x/net/http2/h2c: request smuggling                      │
│                  │                     │          │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-41721              │
│                  ├─────────────────────┤          │                                    ├─────────────────────────────────────┼─────────────────────────────────────────────────────────┤
│                  │ CVE-2022-41723      │          │                                    │ 0.7.0                               │ avoid quadratic complexity in HPACK decoding            │
│                  │                     │          │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-41723              │
│                  ├─────────────────────┼──────────┤                                    ├─────────────────────────────────────┼─────────────────────────────────────────────────────────┤
│                  │ CVE-2022-41717      │ MEDIUM   │                                    │ 0.4.0                               │ excessive memory growth in a Go server accepting HTTP/2 │
│                  │                     │          │                                    │                                     │ requests                                                │
│                  │                     │          │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-41717              │
│                  ├─────────────────────┼──────────┤                                    ├─────────────────────────────────────┼─────────────────────────────────────────────────────────┤
│                  │ GHSA-vvpx-j8f3-3w6h │ UNKNOWN  │                                    │ 0.7.0                               │ Uncontrolled Resource Consumption                       │
│                  │                     │          │                                    │                                     │ https://github.com/advisories/GHSA-vvpx-j8f3-3w6h       │
└──────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴─────────────────────────────────────┴─────────────────────────────────────────────────────────┘

litmuschaos / chaos-operator

Vulnerabilities in Chaos-Operator Docker Image #462

Is this a BUG REPORT or FEATURE REQUEST?