Fix new 2.4.6 vulnerabilities

[ksylvan]

Fixes #811

Prior to the fix, doing a trivy scan of the official 2.4.6 image:

alias trivy='mkdir -p /tmp/trivy-cache; docker run --rm -it -v /tmp/trivy-cache:/root/.cache -v /var/run/docker.sock:/var/run/docker.sock -v $PWD:$PWD -w $PWD aquasec/trivy'

$ trivy image devopsfaith/krakend:2.4.6
2023-11-06T06:36:03.017Z        INFO    Vulnerability scanning is enabled
2023-11-06T06:36:03.017Z        INFO    Secret scanning is enabled
2023-11-06T06:36:03.017Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-06T06:36:03.017Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-11-06T06:36:10.802Z        INFO    Detected OS: alpine
2023-11-06T06:36:10.802Z        INFO    Detecting Alpine vulnerabilities...
2023-11-06T06:36:10.804Z        INFO    Number of language-specific files: 1
2023-11-06T06:36:10.804Z        INFO    Detecting gobinary vulnerabilities...

devopsfaith/krakend:2.4.6 (alpine 3.18.4)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                     Title                     │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ MEDIUM   │ fixed  │ 3.1.3-r0          │ 3.1.4-r0      │ Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363     │
├────────────┤               │          │        │                   │               │                                               │
│ libssl3    │               │          │        │                   │               │                                               │
│            │               │          │        │                   │               │                                               │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────┘

usr/bin/krakend (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│        Library         │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version      │                            Title                             │
├────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-m425-mq94-257g │ HIGH     │ fixed  │ v1.53.0           │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                     │
│                        │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g            │
│                        ├─────────────────────┼──────────┤        │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-44487      │ MEDIUM   │        │                   │ 1.58.3, 1.57.1, 1.56.3 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                        │                     │          │        │                   │                        │ attack (Rapid...                                             │
│                        │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

After the fix:

$ trivy image devopsfaith/krakend:2.4.7
2023-11-06T06:38:08.823Z        INFO    Vulnerability scanning is enabled
2023-11-06T06:38:08.823Z        INFO    Secret scanning is enabled
2023-11-06T06:38:08.823Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-06T06:38:08.823Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-11-06T06:38:09.711Z        INFO    Detected OS: alpine
2023-11-06T06:38:09.711Z        INFO    Detecting Alpine vulnerabilities...
2023-11-06T06:38:09.712Z        INFO    Number of language-specific files: 1
2023-11-06T06:38:09.712Z        INFO    Detecting gobinary vulnerabilities...

devopsfaith/krakend:2.4.7 (alpine 3.18.4)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

[taik0]

Alpine deps are now automatically updated on new builds.

[github-actions]

This pull request was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.