Skip to content

Upgrade base prometheus image

Warren Gifford requested to merge andre/patch-prometheus into main

Created by: andreeleuterio

Upgrades the base prometheus image to patch a CVE. I followed the instructions here. We are already running the latest version of alertmanager. I built the image locally. I also verified that the prometheus rules were ok as per step 5.1.

I scanned the local image with trivy. Only an alertmanager CVE is left:

trivy image --severity "HIGH,CRITICAL" sourcegraph/prometheus:latest
2022-05-20T15:09:24.218-0300	INFO	Number of language-specific files: 1
2022-05-20T15:09:24.218-0300	INFO	Detecting gobinary vulnerabilities...

bin/alertmanager (gobinary)
===========================
Total: 1 (HIGH: 1, CRITICAL: 0)

+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION           |                 TITLE                 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2022-27191   | HIGH     | v0.0.0-20210616213533-5ff15b29337e | 0.0.0-20220315160706-3147a52a75dd | golang: crash in a                    |
|                     |                  |          |                                    |                                   | golang.org/x/crypto/ssh server        |
|                     |                  |          |                                    |                                   | -->avd.aquasec.com/nvd/cve-2022-27191 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+

Test plan

CI tests

Merge request reports

Loading