Vulnerabilities reported by trivy

[martinelli-francesco]

Trivy reports many vulnerabilities (even HIGH) on the current stable image. I think most of them are related to the openssl version installed in the base image, so probably just updating the image will fix the problem:

Repository: oauth2-proxy/oauth2-proxy
Tag: v7.4.0
Critical: 0
High: 8
Medium: 3
Low: 0

vulnerabilityID	severity	resource	installedVersion	fixedVersion
CVE-2022-4450	HIGH	libcrypto1.1	1.1.1q-r0	1.1.1t-r0
CVE-2023-0215	HIGH	libcrypto1.1	1.1.1q-r0	1.1.1t-r0
CVE-2023-0286	HIGH	libcrypto1.1	1.1.1q-r0	1.1.1t-r0
CVE-2022-4304	MEDIUM	libcrypto1.1	1.1.1q-r0	1.1.1t-r0
CVE-2022-4450	HIGH	libssl1.1	1.1.1q-r0	1.1.1t-r0
CVE-2023-0215	HIGH	libssl1.1	1.1.1q-r0	1.1.1t-r0
CVE-2023-0286	HIGH	libssl1.1	1.1.1q-r0	1.1.1t-r0
CVE-2022-4304	MEDIUM	libssl1.1	1.1.1q-r0	1.1.1t-r0
CVE-2022-41721	HIGH	golang.org/x/net	v0.1.0	0.1.1-0.20221104162952-702349b0e862
CVE-2022-41723	HIGH	golang.org/x/net	v0.1.0	0.7.0
CVE-2022-41717	MEDIUM	golang.org/x/net	v0.1.0	0.4.0
GHSA-vvpx-j8f3-3w6h	UNKNOWN	golang.org/x/net	v0.1.0	0.7.0

Expected Behavior

At least the high vulnerabilities solved.

[tolleiv]

See also #2013 and #2051

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[marcindulak]

👀

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.