[Bug]: vulnerabilities with older image versions for golang libraries in milvus

[kdabbir]

Is there an existing issue for this?

• [X] I have searched the existing issues

Environment

- Milvus version: 2.4.5
- Deployment mode(standalone or cluster): cluster
- MQ type(rocksmq, pulsar or kafka):  kafka hosted on AWS
- SDK version(e.g. pymilvus v2.0.0rc2): 2.4.5

Current Behavior

Hi team, Our code scanners is detecting multiple vulnerabilities in below images in milvus image, can we get these versions upgraded? I've linked the current version and fix version for reference in the image paths.

1. golang:go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc Current version: v0.38.0 Fix version: v0.46.0
2. golang:google.golang.org/protobuf/internal/encoding/json Current version: v1.31.0 Fix version: v1.33.0
3. golang:github.com/nats-io/nkeys Current version: v0.4.4 Fix version: v0.4.6
4. golang:github.com/dvsekhvalnov/jose2go Current version: v1.5.0 Fix version: v1.5.1-0.20231206184617-48ba0b76bc88
5. golang:golang.org/x/net/http2 Current version: v0.17.0 Fix version: v0.23.0
6. golang:google.golang.org/protobuf/encoding/protojson Current version: v1.31.0 Fix version: v1.33.0
7. golang:google.golang.org/grpc Current version: v1.54.0 Fix version: v1.56.3

Thanks.

Expected Behavior

No response

Steps To Reproduce

No response

Milvus Log

No response

Anything else?

No response

[yanliang567]

/assign @xiaofan-luan please help to have someone take a look /unassign

[SimFG]

It seems that these versions can be upgraded, but it may still need to be evaluated whether there are compatibility issues. Can you share the code scanner tool?

[kdabbir]

@SimFG attached the CVE vulnerability name screenshot against each of the above library. Code scanner is similar to a sonarqube scanner, we don't have public access to that tool so attaching the screenshots