CVE Detected in cortextool 0.10.7

[nniehoff]

We build a container with cortextool 0.10.7 installed and upload it to AWS ECR. AWS Inspector then scans these containers for known vulnerabilites and it has flagged the binary with an older loki library CVE-2021-36156 being used. While I understand cortextool isn't running as a daemon and therefore this really isn't a vulnerability I'd like to get our security team off my back for a 2y old vulnerability. As soon as mimirtool has the capability to sync loki rules we will be switching to it so stay up to date but this functionality isn't available currently.

If you would like to reproduce the container for a scan:

# Install cortextool (needed for loki rules)
ARG CORTEX_TOOL_VERSION="0.10.7"  # renovate: github-tags grafana/cortex-tools
RUN curl -LO [https://github.com/grafana/cortex-tools/releases/download/v${CORTEX_TOOL_VERSION}/cortextool_${CORTEX_TOOL_VERSION}_linux_x86_64](https://github.com/grafana/cortex-tools/releases/download/v$%7BCORTEX_TOOL_VERSION%7D/cortextool_$%7BCORTEX_TOOL_VERSION%7D_linux_x86_64) && \
    install -o root -g root -m 0755 cortextool_${CORTEX_TOOL_VERSION}_linux_x86_64 /usr/bin/cortextool && \
    rm -f cortextool_${CORTEX_TOOL_VERSION}_linux_x86_64

It looks like docker scan doesn't catch this but AWS Inspector does.