Skip to content

chore: [#433] upgrade Prometheus to v3.11.2 and document CVE analysis#454

Merged
josecelano merged 3 commits intomainfrom
433-prometheus-cves
Apr 15, 2026
Merged

chore: [#433] upgrade Prometheus to v3.11.2 and document CVE analysis#454
josecelano merged 3 commits intomainfrom
433-prometheus-cves

Conversation

@josecelano
Copy link
Copy Markdown
Member

@josecelano josecelano commented Apr 15, 2026

Summary

Upgrades Prometheus from v3.5.1 to v3.11.2 (latest as of 2026-04-13), eliminating all CRITICAL CVEs.

Closes #433

Changes

  • src/domain/prometheus/config.rs: bump PROMETHEUS_DOCKER_IMAGE_TAG from v3.5.1 to v3.11.2
  • docs/security/docker/scans/prometheus.md: update current status table and add new scan history entry for 2026-04-14
  • docs/issues/433-prometheus-cves.md: fill in Outcome section with scan results and checked-off steps
  • .github/workflows/docker-security-scan.yml: update example image tag in comment
  • project-words.txt: add buger, cves, jsonparser

Scan Results

Version Comparison

Version HIGH CRITICAL
v3.5.0 16 4
v3.5.1 6 2
v3.11.2 4 0

Remaining CVEs in v3.11.2 (all HIGH, no remote attack path)

CVE Library Fix Notes
CVE-2026-32285 buger/jsonparser 1.1.2 DoS via malformed JSON; internal
CVE-2026-34040 moby/docker 29.3.1 Auth bypass; Docker-client code
CVE-2026-39883 otel/sdk 1.43.0 Local PATH hijack; no remote

No OS layer — pure Go binaries, no Alpine/Debian base image. All remaining findings are in upstream Prometheus binary dependencies with no remote attack path.

@josecelano josecelano mentioned this pull request Apr 15, 2026
Closed
4 tasks
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 15, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@josecelano josecelano mentioned this pull request Apr 15, 2026
Open
@josecelano
Copy link
Copy Markdown
Member Author

josecelano commented Apr 15, 2026

ACK f8e9730

@josecelano josecelano merged commit 43f790e into main Apr 15, 2026
35 checks passed
josecelano added a commit that referenced this pull request Apr 15, 2026
@josecelano
chore: remove closed issue documentation files
87c3d29 
Removed 5 closed issue documentation files from docs/issues/:
- #431: backup-cves (PR #457 merged)
- #433: prometheus-cves (PR #454 merged)
- #434: grafana-cves (PR #453 merged)
- #435: mysql-cves (PR #456 merged)
- #444: rand-0.9.2-rustsec (closed)

Remaining open issues: #413, #429, #432, #443
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Investigate unresolved Prometheus CVEs after upgrade to v3.5.1

2 participants

@josecelano @github-advanced-security