CVEs needing attention
DavidACastagna opened this issue · comments
I will forward this to hello@kroki.io as well. But:
The latest image (at the time of this issue) has the following vulnerabilities in the kroki JAR file:
com.google.guava:guava (Recommended fix is to upgrade from 30.1-jre to 32.0.0-android):
We're also seeing the following CVE/library in the image (Might be from the base image? I can't find go anywhere in the image though. Not sure why this is showing up.):
golang.org/x/crypto (Recommended fix is to upgrade from v0.16.0 to v0.17.0):
com.google.guava:guava (Recommended fix is to upgrade from 30.1-jre to 32.0.0-android):
GHSA-7g45-4rm6-3mm3
GHSA-5mg8-w23w-74h3
Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems
We are not using FileBackedOutputStream
and we are not creating temporary directory so we are not affected by this vulnerability.
golang.org/x/crypto (Recommended fix is to upgrade from v0.16.0 to v0.17.0):
Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel
We are not using the SSH protocol.
Thanks for the speedy response!
Incidentally, the full trivy image scan for kroki 0.24.1 shows all of the following needing attention:
kroki-0.24.1.trivy.json
Is there any plan to address any of these?