Fix container vulnerabilities listed on Docker Hub (v2.10.3)

[bluepuma77]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

When checking Docker Hub for Traefik, I see 10 detected vulnerabilities.

Probably just dependencies in the Dockerfile need to be upgraded, see details view.

What did you see instead?

n/a

What version of Traefik are you using?

v2.10.3

What is your environment & configuration?

n/a

If applicable, please paste the log output in DEBUG level

No response

[ldez]

Hello,

we are not affected by those CVEs because they affect pieces of code that we don't use.
The Consul CVE is about the Consul server but we are only using the client API.
The Docker CVEs are about the daemon and the API server, we are only using the client API.
The AWS CVEs are about AWS S3 Crypto, we are only using the DNS API.

Also, the problem related to updating a dependency because of a false positive is the impact of transitive dependencies. For example, an update of Consul can produce an update of gRPC, but gRPC is known to break things between patch/minor versions.
Any update has side effects.

We are not the only ones that complain about false positives related to vulnerability scanning tools:

• https://github.com/anchore/grype/issues?q=is%3Aissue+false+positive+
• https://github.com/aquasecurity/trivy/issues?q=is%3Aissue+false+positive+

The core of the problem is that vulnerability scanning tools don't share the same knowledge.
The best solution is to have a shared, free, and open-source security database with a way to report false positives.
Without a global place to report false positives, no tool that only does dependency analysis can be guaranteed without false positives.

Please be sure that we analyze all the CVEs related to Traefik and guarantee their treatment in the shortest possible time when we are impacted by them.