search

oliver006 / redis_exporter

Prometheus Exporter for ValKey & Redis Metrics. Supports ValKey and Redis 2.x, 3.x, 4.x, 5.x, 6.x, and 7.x
https://github.com/oliver006/redis_exporter
MIT License
3.04k stars 860 forks source link

Address vulnerabilities in the latest image #808

Closed pmmenzel closed 1 year ago

pmmenzel commented 1 year ago

Rebuilding with the latest golang:1.20-alpine should utilize 1.20.5 instead of 1.20.2 which will address most of these go related vulnerabilities, particularly the critical ones. 

> grype golang:1.20.2-alpine --add-cpes-if-none --by-cve                                                                                                                           ok  18s  06/12/23 11:41:41 AM
 ✔ Vulnerability DB        [no update available]
 ✔ Pulled image
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [39 packages]
 ✔ Scanning image...       [13 vulnerabilities]
   ├── 2 critical, 7 high, 4 medium, 0 low, 0 negligible
   └── 4 fixed

NAME        INSTALLED  FIXED-IN  TYPE    VULNERABILITY   SEVERITY
go          1.20.2               binary  CVE-2020-29509  Medium
go          1.20.2               binary  CVE-2020-29511  Medium
go          1.20.2               binary  CVE-2023-24534  High
go          1.20.2               binary  CVE-2023-24536  High
go          1.20.2               binary  CVE-2023-24537  High
go          1.20.2               binary  CVE-2023-24538  Critical
go          1.20.2               binary  CVE-2023-24539  High
go          1.20.2               binary  CVE-2023-24540  Critical
go          1.20.2               binary  CVE-2023-29400  High
libcrypto3  3.0.8-r3   3.0.8-r4  apk     CVE-2023-1255   Medium
libcrypto3  3.0.8-r3   3.0.9-r0  apk     CVE-2023-2650   High
libssl3     3.0.8-r3   3.0.8-r4  apk     CVE-2023-1255   Medium
libssl3     3.0.8-r3   3.0.9-r0  apk     CVE-2023-2650   High
oliver006 commented 1 year ago

Thanks for raising this issue. I cut a new release yesterday which should address your concerns.