search

yukimochi / Activity-Relay

Yet another powerful customizable ActivityPub relay server written in Go.
https://relay.toot.yukimochi.jp/
GNU Affero General Public License v3.0
278 stars 39 forks source link

Update some dependencies #69

Closed mhamzahkhan closed 1 year ago

mhamzahkhan commented 1 year ago

I was just auditing the docker images running on my K8S cluster using Trivy and noticed that the activity-relay image has some easily fixable issues that are flagged.

I'm not sure if these issues actually affect Activity-Relay, but I figured it would be worth making a PR anyway.

yukimochi/activity-relay:v1.2.4 (alpine 3.17.0)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤ │ libcrypto3 │ CVE-2022-3996 │ HIGH │ 3.0.7-r0 │ 3.0.7-r2 │ openssl: double locking leads to denial of service │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3996 │ ├────────────┤ │ │ │ │ │ │ libssl3 │ │ │ │ │ │ │ │ │ │ │ │ │ └────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

usr/bin/relay (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤ │ golang.org/x/text │ CVE-2022-32149 │ HIGH │ v0.3.7 │ 0.3.8 │ golang: golang.org/x/text/language: ParseAcceptLanguage │ │ │ │ │ │ │ takes a long time to parse complex tags │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │ └───────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

yukimochi commented 1 year ago

Thank you for creating PR!

I checked for library updates. spf13/viper contains updates for golang.org/x/text.

Some library versions are coordinated by me.

yukimochi commented 1 year ago

v1.2.5 released 🎉

PS C:\Users\YUKIMOCHI\Downloads\trivy> .\trivy.exe image yukimochi/activity-relay:v1.2.5
2023-01-12T22:08:59.414+0900    INFO    Vulnerability scanning is enabled
2023-01-12T22:08:59.414+0900    INFO    Secret scanning is enabled
2023-01-12T22:08:59.414+0900    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-12T22:08:59.414+0900    INFO    Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-01-12T22:09:07.085+0900    INFO    Detected OS: alpine
2023-01-12T22:09:07.085+0900    INFO    Detecting Alpine vulnerabilities...
2023-01-12T22:09:07.086+0900    INFO    Number of language-specific files: 1
2023-01-12T22:09:07.086+0900    INFO    Detecting gobinary vulnerabilities...

yukimochi/activity-relay:v1.2.5 (alpine 3.17.1)
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)