🐛 Bug Report: Security vulnerabilities #274

New Issue

Closed

opened 2025-10-08 00:00:39 +03:00 by OVERLORD · 6 comments

OVERLORD commented 2025-10-08 00:00:39 +03:00

Owner

Copy Link

Originally created by @kingp0dd on GitHub.

Reproduction steps

I think visibility on vulnerabilities is important especially that the container is related to security.

$ docker run --rm anchore/grype:latest registry:ghcr.io/pocket-id/pocket-id -v
[0000]  INFO grype version: 0.90.0
[0001]  INFO downloading new vulnerability DB
[0070]  INFO installed new vulnerability DB built=2025-03-27T04:07:22Z version=v6.0.2
[0112]  INFO task completed elapsed=208.982µs task=environment-cataloger
[0112]  INFO task completed elapsed=125.282µs task=alpm-db-cataloger
[0112]  INFO task completed elapsed=95.402568ms task=apk-db-cataloger
[0112]  INFO task completed elapsed=127.119µs task=dpkg-db-cataloger
[0112]  INFO task completed elapsed=78.549µs task=portage-cataloger
[0112]  INFO task completed elapsed=60.759µs task=rpm-db-cataloger
[0112]  INFO task completed elapsed=34.416µs task=conan-info-cataloger
[0112]  INFO task completed elapsed=121.706557ms task=javascript-package-cataloger
[0112]  INFO task completed elapsed=157.776µs task=php-composer-installed-cataloger
[0112]  INFO task completed elapsed=70.744µs task=r-package-cataloger
[0112]  INFO task completed elapsed=214.054µs task=ruby-installed-gemspec-cataloger
[0112]  INFO task completed elapsed=20.046691ms task=cargo-auditable-binary-cataloger
[0112]  INFO task completed elapsed=102.066µs task=php-pecl-serialized-cataloger
[0112]  INFO task completed elapsed=149.593µs task=dotnet-packages-lock-cataloger
[0112]  INFO task completed elapsed=70.792µs task=dotnet-portable-executable-cataloger
[0112]  INFO task completed elapsed=54.451µs task=python-installed-package-cataloger
[0123]  INFO task completed elapsed=10.318085888s task=go-module-binary-cataloger
[0123]  INFO task completed elapsed=171.146µs task=java-archive-cataloger
[0123]  INFO task completed elapsed=197.475071ms task=graalvm-native-image-cataloger
[0123]  INFO task completed elapsed=47.353049ms task=nix-store-cataloger
[0123]  INFO task completed elapsed=200.807µs task=lua-rock-cataloger
[0126]  INFO task completed elapsed=2.67461561s task=binary-classifier-cataloger
[0126]  INFO task completed elapsed=2.666581ms task=elf-binary-package-cataloger
[0126]  INFO task completed elapsed=97.097µs task=java-jvm-cataloger
[0126]  INFO task completed elapsed=2.192739ms task=linux-kernel-cataloger
[0126]  INFO task completed elapsed=288.467µs task=bitnami-cataloger
[0126]  INFO task completed elapsed=55.507µs task=wordpress-plugins-cataloger
[0127]  INFO task completed elapsed=926.668695ms task=file-digest-cataloger
[0127]  INFO task completed elapsed=8.065775ms task=file-metadata-cataloger
[0127]  INFO task completed elapsed=990ns task=file-content-cataloger
[0127]  INFO task completed elapsed=282.020544ms task=file-executable-cataloger
[0127]  INFO task completed elapsed=47.373964ms task=relationships-cataloger
[0127]  INFO task completed elapsed=33.319107ms task=unknowns-labeler
[0128]  INFO found 7 vulnerability matches across 600 packages
NAME                               INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY
cookie                             0.6.0      0.7.0     npm        GHSA-pxg6-pf52-xh8x  Low
github.com/disintegration/imaging  v1.6.2               go-module  GHSA-q7pp-wcgr-pffx  Low
github.com/go-jose/go-jose/v3      v3.0.3     3.0.4     go-module  GHSA-c6gw-w398-hv78  Medium
github.com/golang/glog             v1.2.0     1.2.4     go-module  GHSA-6wxm-mpqj-6jpf  Medium
github.com/quic-go/quic-go         v0.44.0    0.48.2    go-module  GHSA-px8v-pp82-rcvr  Medium
golang.org/x/crypto                v0.23.0    0.31.0    go-module  GHSA-v778-237x-gjrc  Critical
golang.org/x/net                   v0.25.0    0.36.0    go-module  GHSA-qxp5-gwg8-xv66  Medium

Is there a plan to make pocket-id available in Docker Hub? I think they have an automated vuln report (Docker Scout?) integrated in their image page. e.g.:

Expected behavior

N/A

Actual Behavior

N/A

Version and Environment

(0.44.0)

Log Output

No response

Originally created by @kingp0dd on GitHub. ### Reproduction steps I think visibility on vulnerabilities is important especially that the container is related to security. ``` $ docker run --rm anchore/grype:latest registry:ghcr.io/pocket-id/pocket-id -v [0000] INFO grype version: 0.90.0 [0001] INFO downloading new vulnerability DB [0070] INFO installed new vulnerability DB built=2025-03-27T04:07:22Z version=v6.0.2 [0112] INFO task completed elapsed=208.982µs task=environment-cataloger [0112] INFO task completed elapsed=125.282µs task=alpm-db-cataloger [0112] INFO task completed elapsed=95.402568ms task=apk-db-cataloger [0112] INFO task completed elapsed=127.119µs task=dpkg-db-cataloger [0112] INFO task completed elapsed=78.549µs task=portage-cataloger [0112] INFO task completed elapsed=60.759µs task=rpm-db-cataloger [0112] INFO task completed elapsed=34.416µs task=conan-info-cataloger [0112] INFO task completed elapsed=121.706557ms task=javascript-package-cataloger [0112] INFO task completed elapsed=157.776µs task=php-composer-installed-cataloger [0112] INFO task completed elapsed=70.744µs task=r-package-cataloger [0112] INFO task completed elapsed=214.054µs task=ruby-installed-gemspec-cataloger [0112] INFO task completed elapsed=20.046691ms task=cargo-auditable-binary-cataloger [0112] INFO task completed elapsed=102.066µs task=php-pecl-serialized-cataloger [0112] INFO task completed elapsed=149.593µs task=dotnet-packages-lock-cataloger [0112] INFO task completed elapsed=70.792µs task=dotnet-portable-executable-cataloger [0112] INFO task completed elapsed=54.451µs task=python-installed-package-cataloger [0123] INFO task completed elapsed=10.318085888s task=go-module-binary-cataloger [0123] INFO task completed elapsed=171.146µs task=java-archive-cataloger [0123] INFO task completed elapsed=197.475071ms task=graalvm-native-image-cataloger [0123] INFO task completed elapsed=47.353049ms task=nix-store-cataloger [0123] INFO task completed elapsed=200.807µs task=lua-rock-cataloger [0126] INFO task completed elapsed=2.67461561s task=binary-classifier-cataloger [0126] INFO task completed elapsed=2.666581ms task=elf-binary-package-cataloger [0126] INFO task completed elapsed=97.097µs task=java-jvm-cataloger [0126] INFO task completed elapsed=2.192739ms task=linux-kernel-cataloger [0126] INFO task completed elapsed=288.467µs task=bitnami-cataloger [0126] INFO task completed elapsed=55.507µs task=wordpress-plugins-cataloger [0127] INFO task completed elapsed=926.668695ms task=file-digest-cataloger [0127] INFO task completed elapsed=8.065775ms task=file-metadata-cataloger [0127] INFO task completed elapsed=990ns task=file-content-cataloger [0127] INFO task completed elapsed=282.020544ms task=file-executable-cataloger [0127] INFO task completed elapsed=47.373964ms task=relationships-cataloger [0127] INFO task completed elapsed=33.319107ms task=unknowns-labeler [0128] INFO found 7 vulnerability matches across 600 packages NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY cookie 0.6.0 0.7.0 npm GHSA-pxg6-pf52-xh8x Low github.com/disintegration/imaging v1.6.2 go-module GHSA-q7pp-wcgr-pffx Low github.com/go-jose/go-jose/v3 v3.0.3 3.0.4 go-module GHSA-c6gw-w398-hv78 Medium github.com/golang/glog v1.2.0 1.2.4 go-module GHSA-6wxm-mpqj-6jpf Medium github.com/quic-go/quic-go v0.44.0 0.48.2 go-module GHSA-px8v-pp82-rcvr Medium golang.org/x/crypto v0.23.0 0.31.0 go-module GHSA-v778-237x-gjrc Critical golang.org/x/net v0.25.0 0.36.0 go-module GHSA-qxp5-gwg8-xv66 Medium ``` Is there a plan to make pocket-id available in Docker Hub? I think they have an automated vuln report (Docker Scout?) integrated in their image page. e.g.:  ### Expected behavior N/A ### Actual Behavior N/A ### Version and Environment (0.44.0) ### Log Output _No response_

OVERLORD added the bug label 2025-10-08 00:00:39 +03:00

OVERLORD closed this issue 2025-10-08 00:00:40 +03:00

OVERLORD commented 2025-10-08 00:00:45 +03:00

Author

Owner

Copy Link

@kingp0dd commented on GitHub:

While i get the point of displaying vulnerabilities, it also could be a risk if the vulnerability is public and can be exploited.

I will leave this up to @stonith404 on how he wants to handle this.

Anyone can scan for vulnerabilities like what i did so i think it being public or visible will not be a factor

@kingp0dd commented on GitHub: > While i get the point of displaying vulnerabilities, it also could be a risk if the vulnerability is public and can be exploited. > > I will leave this up to [@stonith404](https://github.com/stonith404) on how he wants to handle this. Anyone can scan for vulnerabilities like what i did so i think it being public or visible will not be a factor

OVERLORD commented 2025-10-08 00:00:45 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

We migrated to Github Org's awhile back and moved off of docker hub to here instead.

While i get the point of displaying vulnerabilities, it also could be a risk if the vulnerability is public and can be exploited.

I will leave this up to @stonith404 on how he wants to handle this.

@kmendell commented on GitHub: We migrated to Github Org's awhile back and moved off of docker hub to here instead. While i get the point of displaying vulnerabilities, it also could be a risk if the vulnerability is public and can be exploited. I will leave this up to @stonith404 on how he wants to handle this.

OVERLORD commented 2025-10-08 00:00:46 +03:00

Author

Owner

Copy Link

@kingp0dd commented on GitHub:

I'm not in anyway a maintainer or anything but this doesn't seem really worth it. Especially with how much DH fiddles with max limits for free users when it comes to security scanning, one day I fear it's going to be fully locked under their paid subscription.

If CVEs are a concern (not all of them are going to be applicable to Pocket ID however) then setting up Dependabot to push PRs with updated go modules or nodejs modules is a better thing to do. Just my 5 cents though, may be worthwhile but I hope this doesn't mean swapping ghcr to dh.

If this is a concern, i think the image can be both on DH and GitHub. Multiple apps do that.

@kingp0dd commented on GitHub: > I'm not in anyway a maintainer or anything but this doesn't seem really worth it. Especially with how much DH fiddles with max limits for free users when it comes to security scanning, one day I fear it's going to be fully locked under their paid subscription. > > If CVEs are a concern (not all of them are going to be applicable to Pocket ID however) then setting up Dependabot to push PRs with updated go modules or nodejs modules is a better thing to do. Just my 5 cents though, may be worthwhile but I hope this doesn't mean swapping ghcr to dh. If this is a concern, i think the image can be both on DH and GitHub. Multiple apps do that.

OVERLORD commented 2025-10-08 00:00:47 +03:00

Author

Owner

Copy Link

@MrRubberDucky commented on GitHub:

I'm not in anyway a maintainer or anything but this doesn't seem really worth it. Especially with how much DH fiddles with max limits for free users when it comes to security scanning, one day I fear it's going to be fully locked under their paid subscription.

If CVEs are a concern (not all of them are going to be applicable to Pocket ID however) then setting up Dependabot to push PRs with updated go modules or nodejs modules is a better thing to do. Just my 5 cents though, may be worthwhile but I hope this doesn't mean swapping ghcr to dh.

@MrRubberDucky commented on GitHub: I'm not in anyway a maintainer or anything but this doesn't seem really worth it. Especially with how much DH fiddles with max limits for free users when it comes to security scanning, one day I fear it's going to be fully locked under their paid subscription. If CVEs are a concern (not all of them are going to be applicable to Pocket ID however) then setting up Dependabot to push PRs with updated go modules or nodejs modules is a better thing to do. Just my 5 cents though, may be worthwhile but I hope this doesn't mean swapping ghcr to dh.

OVERLORD commented 2025-10-08 00:00:47 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Docker Scout is only free for one repo unfortunately.

I get informed about vulnerabilities in packages that the frontend and backend uses and Dependabot tries to upgrade the packages automatically.

The medium and critical vulnerabilities are caused by Caddy v2.8.4 which currently is the latest version in the Alpine Package Manager. As soon as there is a new version, the Docker build will use the latest version of Caddy.

That said, although it's not possible to enable Docker Scout, package vulnerabilities will be fixed automatically if there is a fix available.

@stonith404 commented on GitHub: Docker Scout is only free for one repo unfortunately. I get informed about vulnerabilities in packages that the frontend and backend uses and Dependabot tries to upgrade the packages automatically. The medium and critical vulnerabilities are caused by Caddy `v2.8.4` which currently is the latest version in the Alpine Package Manager. As soon as there is a new version, the Docker build will use the latest version of Caddy. That said, although it's not possible to enable Docker Scout, package vulnerabilities will be fixed automatically if there is a fix available.

OVERLORD commented 2025-10-08 00:00:49 +03:00

Author

Owner

Copy Link

@MrRubberDucky commented on GitHub:

The medium and critical vulnerabilities are caused by Caddy v2.8.4 which currently is the latest version in the Alpine Package Manager. As soon as there is a new version, the Docker build will use the latest version of Caddy.

Ya probably know this but eh, I feel like it's good to mention this:

If you ever feel like experimenting, building latest caddy is easily possible via xcaddy or by pulling latest version from git and building it with go build. Though you can also do one more thing... instead of grabbing off current stable repo in Alpine Linux, you can point apk to add it from one specific repository (edge usually has stable, up-to-date versions of Caddy where main branches always fall on latest stable)

Though I wouldn't rely on them 100% as these will eventually expire from Alpine Linux repository unless they were recently rebuilt, that's just how it is with community repos. Neverthless, if ya wanna try it then here's a small snippet:

RUN apk add --from=https://dl-cdn.alpinelinux.org/alpine/edge \
    && caddy

That should grab (at the time of writing) Caddy v2.9.1

@MrRubberDucky commented on GitHub: > The medium and critical vulnerabilities are caused by Caddy `v2.8.4` which currently is the latest version in the Alpine Package Manager. As soon as there is a new version, the Docker build will use the latest version of Caddy. Ya probably know this but eh, I feel like it's good to mention this: If you ever feel like experimenting, building latest caddy is easily possible via `xcaddy` or by pulling latest version from git and building it with `go build`. Though you can also do one more thing... instead of grabbing off current stable repo in Alpine Linux, you can point apk to add it from one specific repository (edge usually has stable, up-to-date versions of Caddy where main branches always fall on latest stable) Though I wouldn't rely on them 100% as these will eventually expire from Alpine Linux repository unless they were recently rebuilt, that's just how it is with `community` repos. Neverthless, if ya wanna try it then here's a small snippet: ```Dockerfile RUN apk add --from=https://dl-cdn.alpinelinux.org/alpine/edge \ && caddy ``` That should grab (at the time of writing) Caddy v2.9.1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#274