Pipeline Request: Rebuild Dockerhub Image

[jbreed]

The current Dockerhub official image hasn't been updated in 4 months. There are two go-related "High" vulnerabilities pertaining to this image that rebuilding will fix.

1. Update go builder to use a version newer than 1.21.5. Currently, 1.21.3 is vulnerable to CVE-2023-45285. I am building from source and rebuilding the image with go version 1.21.7.
2. The emicklei/go-restful module in the official image is using v3.9.0 and in the main branch this is already showing 3.11.0. Versions prior to 3.10.0 are vulnerable to authentication bypass. Simply rebuilding will result in this being corrected.

Ideally, when merges happen into main we could get a pipeline to re-publish 1.3.1 tagged image on Dockerhub. If nothing else, rebuilding on a monthly release cycle for the docker images would likely cover most patching.

[tvoran]

Hi @jbreed, v1.4.0 is now out and should address your concerns. And as a reminder, please use security@hashicorp.com for bringing up security issues with the injector.

As for rebuilding in between releases, it's something we've discussed internally but nothing concrete yet.