CVEs needing attention

[DavidACastagna]

I will forward this to hello@kroki.io as well. But:

The latest image (at the time of this issue) has the following vulnerabilities in the kroki JAR file:

com.google.guava:guava (Recommended fix is to upgrade from 30.1-jre to 32.0.0-android):

• CVE-2023-2976
• CVE-2020-8908

We're also seeing the following CVE/library in the image (Might be from the base image? I can't find go anywhere in the image though. Not sure why this is showing up.):

golang.org/x/crypto (Recommended fix is to upgrade from v0.16.0 to v0.17.0):

• CVE-2023-48795

[ggrossetie]

com.google.guava:guava (Recommended fix is to upgrade from 30.1-jre to 32.0.0-android):

GHSA-7g45-4rm6-3mm3
GHSA-5mg8-w23w-74h3

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems

We are not using FileBackedOutputStream and we are not creating temporary directory so we are not affected by this vulnerability.

golang.org/x/crypto (Recommended fix is to upgrade from v0.16.0 to v0.17.0):

GHSA-45x7-px36-x8w8

Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel

We are not using the SSH protocol.

[DavidACastagna]

Thanks for the speedy response!

[DavidACastagna]

Incidentally, the full trivy image scan for kroki 0.24.1 shows all of the following needing attention:
kroki-0.24.1.trivy.json

Is there any plan to address any of these?