Skip to content

Fix multiple reported CVEs #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: release-v0.17.1
Choose a base branch
from
Draft

Fix multiple reported CVEs #1

wants to merge 3 commits into from

Conversation

M4tteoP
Copy link
Member

@M4tteoP M4tteoP commented Aug 29, 2025
edited
Loading

TODOs:

  • Check release/push process
    • TETRATE_CI_DOCKERHUB_USERNAME and TETRATE_CI_DOCKERHUB_PASSWORD have been added as repository secrets, still to be tested.
  • Investigate a more updated busybox

Before:

▶ grype prometheuscommunity/postgres-exporter:v0.17.1
NAME                 INSTALLED  FIXED-IN         TYPE       VULNERABILITY        SEVERITY  EPSS%  RISK
golang.org/x/crypto  v0.32.0    0.35.0           go-module  GHSA-hcg3-q754-cr77  High      40.88    0.1
golang.org/x/oauth2  v0.24.0    0.27.0           go-module  GHSA-6v2p-p543-phr9  High      23.28  < 0.1
stdlib               go1.23.6   1.23.12, 1.24.6  go-module  CVE-2025-47907       High      16.77  < 0.1
busybox              1.36.1                      binary     CVE-2023-42364       Medium     7.39  < 0.1
busybox              1.36.1                      binary     CVE-2023-42365       Medium     7.39  < 0.1
busybox              1.36.1                      binary     CVE-2023-42363       Medium     5.46  < 0.1
busybox              1.36.1                      binary     CVE-2023-42366       Medium     4.92  < 0.1
stdlib               go1.23.6   1.23.10, 1.24.4  go-module  CVE-2025-4673        Medium     3.10  < 0.1
stdlib               go1.23.6   1.23.8, 1.24.2   go-module  CVE-2025-22871       Critical   0.93  < 0.1
golang.org/x/net     v0.33.0    0.38.0           go-module  GHSA-vvgc-356p-c3xw  Medium     3.31  < 0.1
busybox              1.36.1                      binary     CVE-2024-58251       Low        7.19  < 0.1
golang.org/x/net     v0.33.0    0.36.0           go-module  GHSA-qxp5-gwg8-xv66  Medium     2.13  < 0.1
busybox              1.36.1                      binary     CVE-2025-46394       Low        4.12  < 0.1
stdlib               go1.23.6   1.23.11, 1.24.5  go-module  CVE-2025-4674        High       0.26  < 0.1

After:

▶ grype tetrate/postgres_exporter:fix-cves
NAME     INSTALLED  FIXED-IN  TYPE    VULNERABILITY   SEVERITY  EPSS%  RISK
busybox  1.36.1               binary  CVE-2023-42364  Medium     7.39  < 0.1
busybox  1.36.1               binary  CVE-2023-42365  Medium     7.39  < 0.1
busybox  1.36.1               binary  CVE-2023-42363  Medium     5.46  < 0.1
busybox  1.36.1               binary  CVE-2023-42366  Medium     4.92  < 0.1
busybox  1.36.1               binary  CVE-2024-58251  Low        7.19  < 0.1
busybox  1.36.1               binary  CVE-2025-46394  Low        4.12  < 0.1

SuperQ and others added 3 commits August 29, 2025 23:56
@SuperQ @M4tteoP
Update Go (prometheus-community#1147)
d3af834 
* Update Go to 1.24.
* Update golangci-lint to v2.
* Fixup linting issues.

Signed-off-by: SuperQ <[email protected]>
@M4tteoP
x/net,x/crypto,x/oauth2
3f8aed8
@M4tteoP
docker repo
402ec21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@M4tteoP @SuperQ