Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest stable docker image (3.6.1) has CVE-2022-40674 #378

Closed
JacekLakis-TomTom opened this issue Oct 4, 2022 · 4 comments
Closed

Latest stable docker image (3.6.1) has CVE-2022-40674 #378

JacekLakis-TomTom opened this issue Oct 4, 2022 · 4 comments
Labels
security The issue is related to a security vulnerability

Comments

@JacekLakis-TomTom
Copy link

Hello, thank you for your work!
There's no stable release of docker image that is free from vulnerabilities.

What happened:
Latest stable image (3.6.1) has CVE-2022-40674 vulnerability. Latest master image (which is master-cea4f8c at the moment) doesn't have this issue anymore, but we would like to use images from official releases in our system.

What you expected to happen:
New stable version without CVE exposure is released.

How to reproduce it (as minimally and precisely as possible):

$ docker pull grafana/grafana-image-renderer:3.6.1
$ trivy image docker.io/grafana/grafana-image-renderer:3.6.1

Thank you in advance, short information about when do you plan to release new stable version would be really helpful.
@joanlopez joanlopez added the security The issue is related to a security vulnerability label Oct 10, 2022
@joanlopez
Copy link
Collaborator

Hey @JacekLakis-TomTom,

Thanks for your request. We'll try to do a new release along this week.

@JacekLakis-TomTom
Copy link
Author

@joanlopez Any update here?

@joanlopez
Copy link
Collaborator

joanlopez commented Nov 23, 2022
edited

Hi @JacekLakis-TomTom,

Sorry for the delay, we finally generated the new release v3.6.2, which I hope it helps with your issue. It's also available through the Grafana plugin's site.

It looks safe:

> trivy image docker.io/grafana/grafana-image-renderer:3.6.2
2022-11-23T11:30:41.967+0100    INFO    Vulnerability scanning is enabled
2022-11-23T11:30:41.967+0100    INFO    Secret scanning is enabled
2022-11-23T11:30:41.967+0100    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-11-23T11:30:41.967+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2022-11-23T11:33:51.255+0100    INFO    Detected OS: alpine
2022-11-23T11:33:51.257+0100    INFO    Detecting Alpine vulnerabilities...
2022-11-23T11:33:51.281+0100    INFO    Number of language-specific files: 1
2022-11-23T11:33:51.282+0100    INFO    Detecting node-pkg vulnerabilities...

docker.io/grafana/grafana-image-renderer:3.6.2 (alpine 3.16.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

So, do you think now we can close this issue?

Thanks!

@JacekLakis-TomTom
Copy link
Author

Thank you @joanlopez !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security The issue is related to a security vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joanlopez @JacekLakis-TomTom