Upgrade Alpine Linux image

[fernap3]

A security scan of the pgHero Docker image turned up CVE-2022-48174 in the version of Alpine Linux being sourced in the latest (v3.4.4) pgHero Docker image. According to this page, that vulnerability is resolved in a more recent version? Admittedly that page is a bit confusing and mentions the vulnerability is both resolved, and unresolved, and also mentions multiple versions of Alpine Linux so I'm not exactly sure what to make of that, lol.

If it's a low effort fix, could you update the pgHero Docker image to pull the latest Alpine Linux image? I'd be happy to make the contribution myself but don't see any dockerfile in the repo to edit.

[ankane]

Hi @fernap3, can you share more details about the scan? Are you seeing the same with the latest tag?

[hiddevdm]

I've also found another vulnerability in a scan: CVE-2023-36617. This seems to be the case for both v3.3.4 and the current latest

NVD CVSSv3 5.3

Installed Resource
uri 0.12.1

Full Path To Resource
/usr/local/lib/ruby/gems/3.1.0/specifications/default/uri-0.12.1.gemspec

Fixed Version
0.12.2

Recommendations
Upgrade package uri to version 0.12.2 or above.

[ankane]

Updated the Docker image and uri gem in pghero/pghero@0382b81 (the uri gem may still show up on the scan since that version is bundled with Ruby, but it's not being used).