Closed coheigea closed 1 year ago
When I scan the latest 0.8.0 version with Trivy, the base image is clear due to the Alpine upgrade, but there are still some CVEs coming from golang which could be fixed:
prom-aggregation-gateway (gobinary) Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0) ┌──────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤ │ github.com/gin-gonic/gin │ CVE-2023-26125 │ MEDIUM │ v1.8.2 │ 1.9.0 │ Improper Input Validation │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-26125 │ │ ├────────────────┤ │ ├───────────────┼───────────────────────────────────────────────────────┤ │ │ CVE-2023-29401 │ │ │ 1.9.1 │ Gin Web Framework does not properly sanitize filename │ │ │ │ │ │ │ parameter of Context.FileAttachment function... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29401 │ ├──────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2022-41723 │ HIGH │ v0.5.0 │ 0.7.0 │ avoid quadratic complexity in HPACK decoding │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │ └──────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘
When I scan the latest 0.8.0 version with Trivy, the base image is clear due to the Alpine upgrade, but there are still some CVEs coming from golang which could be fixed: