Multiple vulnerabilities reported by image scan

[programmer04]

Describe the Bug
Multiple vulnerabilities were reported by image scan. I've scanned migrate/migrate:v4.15.2 (current latest) with Grype and I saw some vulnerabilities reported.

NAME                        INSTALLED  FIXED-IN   TYPE       VULNERABILITY   SEVERITY 
busybox                     1.32.1-r8  1.32.1-r9  apk        CVE-2022-30065  High      
google.golang.org/protobuf  v1.27.1               go-module  CVE-2015-5237   High      
google.golang.org/protobuf  v1.27.1    3.15.0     go-module  CVE-2021-22570  High      
libcrypto1.1                1.1.1n-r0  1.1.1q-r0  apk        CVE-2022-2097   High      
libssl1.1                   1.1.1n-r0  1.1.1q-r0  apk        CVE-2022-2097   High      
ssl_client                  1.32.1-r8  1.32.1-r9  apk        CVE-2022-30065  High      
zlib                        1.2.12-r0  1.2.12-r2  apk        CVE-2022-37434  Critical  

Some are related to the outdated base image alpine:3.13.0 and some are specific for used Go packages. When the migrate/migrate:v4.15.2 image is used in a regulated environment that kind of problem slows down releases, etc. because scanning is part of a CI/CI pipeline. It has to be carefully assessed.

Steps to Reproduce
Just scan the image with some tools for finding vulnerabilities.

Expected Behavior
No vulnerabilities are reported for the newest image.

Additional context
Updating Go, Alpine, and packages will fix it, but only for now. Security bugs are discovered all the time.

As a more robust solution, I propose configuring Dependabot for keeping dependency like a base image and Go packages up to date. For Go packages, I advise enabling dependency graph - security vulnerabilities will be reported automatically (unfortunately it doesn't work for images).

I'll be happy to prepare PRs for the things proposed above. Please let me know what you think about it.

Similar issue #777.

[dhui]

Thanks for reporting the issue! I'd merge a PR to update the alpine linux docker base image. Another approach that would prevent this issue from occurring would be to use a scratch base image for the final docker image/build. The main issues with this are bundling certs and static builds.

We shouldn't be using protobufs directly so that's probably due to a dependency. If you can track that down and update the offending dependency, I'd also merge that PR.

[programmer04]

Yeah, using scratch would be ideal, or at least using maybe something like distroless. It requires some more testing thus I consider it the next step

[tspearconquest]

I've built and tested an image locally to fix these. I can fix everything but protobuf.

When scanning with grype with the --only-fixed flag, the protobufs do not appear, and I can confirm the same happens when I scan the image with Trivy with the --ignore-unfixed flag, so it seems there is no upstream fix for that one yet.

The others are all solved in the PR I'm about to submit.

❯ grype migrate/migrate:testbuild --only-fixed --add-cpes-if-none                                                                                                                                       3s
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [94 packages]
 ✔ Scanned image           [2 vulnerabilities]

No vulnerabilities found

The CVEs listed in the screenshot are fixed by #814

[tspearconquest]

The CI fails on #815 due to some issues I fixed in #814.

I'll rebase it once #814 is merged, or I can pull #815 into #814 and close out #815. Please let me know how you prefer to take care of it.