Open critical CVE (Score 9.8) in 2.114.0-pactbroker2.108.0 - upgrade of Alpine Linux needed

[jorander]

Pre issue-raising checklist

I have already (please mark the applicable with an x):

• Confirmed this is the right place to raise the issue - only issues related to the Dockerization of the Pact Broker should be raised here. Issues related to the Pact Broker application itself should be raised in the Pact Broker project.
• Upgraded to the latest Pact Broker Docker image OR
• Checked the CHANGELOG to see if the issue I am about to raise has been fixed
• Read the Troubleshooting page

Software versions

• pact-broker gem version: 2.108.0
• pact-broker docker version: 2.114.0
• OS: Linux
• pact broker client details: N/A

Expected behaviour

No critical CVE:s found when scanning the image.

Actual behaviour

When scanning the 2.114.0-pactbroker2.108.0 image using Jfrog Xray we find that it has an open critical CVE-2022-48174 security issue. The problem is in busybox:1.35.0-r29 which is included in Alpine 3.17.
Alpine 3.17 also contains a few other packages with open CVE:s of lower severity.

Upgrading to use ruby:3.2.3-alpine3.19 as base image remedies these issues.

Steps to reproduce

N/A

Relevent log files

N/A

[YOU54F]

Release kicked off now, thanks @jorander

https://github.com/pact-foundation/pact-broker-docker/releases/tag/2.116.0-pactbroker2.109.0

[YOU54F]

Going to close this off now, as it should be sorted!