[Release-3.8.0] High CVES Medium vulnerability Issue fix

[manjudr]

This patch contains the fixes related to medium vulnerabilities and high cves vulnerability issues.

Before

trivy image --scanners vuln grafana/grafana-image-renderer:3.8.0
2023-09-14T18:30:33.777+0530	INFO	Need to update DB
2023-09-14T18:30:33.777+0530	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-09-14T18:30:33.777+0530	INFO	Downloading DB...
39.54 MiB / 39.54 MiB [---------------------------------------------------------------------------------------------] 100.00% 9.25 MiB p/s 4.5s
2023-09-14T18:30:40.296+0530	INFO	Vulnerability scanning is enabled
2023-09-14T18:31:17.927+0530	INFO	Detected OS: alpine
2023-09-14T18:31:17.927+0530	INFO	Detecting Alpine vulnerabilities...
2023-09-14T18:31:17.953+0530	INFO	Number of language-specific files: 1
2023-09-14T18:31:17.953+0530	INFO	Detecting node-pkg vulnerabilities...

grafana/grafana-image-renderer:3.8.0 (alpine 3.18.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2023-09-14T18:31:17.995+0530	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬─────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                    Title                    │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼─────────────────────────────────────────────┤
│ semver (package.json) │ CVE-2022-25883 │ MEDIUM   │ fixed  │ 7.3.7             │ 7.5.2, 6.3.1, 5.7.2 │ Regular expression denial of service        │
│                       │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-25883  │
├───────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼─────────────────────────────────────────────┤
│ xml2js (package.json) │ CVE-2023-0842  │          │        │ 0.4.23            │ 0.5.0               │ xml2js is vulnerable to prototype pollution │
│                       │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2023-0842   │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴─────────────────────────────────────────────┘

After

trivy image --scanners vuln sanketikahub/grafana-image-renderer:3.8.0
2023-09-14T18:31:58.245+0530	INFO	Vulnerability scanning is enabled
2023-09-14T18:31:58.498+0530	INFO	Detected OS: alpine
2023-09-14T18:31:58.498+0530	INFO	Detecting Alpine vulnerabilities...
2023-09-14T18:31:58.521+0530	INFO	Number of language-specific files: 1
2023-09-14T18:31:58.521+0530	INFO	Detecting node-pkg vulnerabilities...

sanketikahub/grafana-image-renderer:3.8.0 (alpine 3.18.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Summary

1. semver@7.3.7 vulnerability issue is with the node 16-alpine hence we have upgraded the node to 20-alpine3.18 and node 20-alpine3.18 doesn't contain any vulnerabilities
2. xml2js version has a vulnerability issue hence upgrading the xml2js to 0.6.2
3. eslint-plugin-jsdoc which was not compatible with node 16 so we have upgraded the eslint-plugin-jsdoc plugin to 46.7.0
4. Verified the vulnerabilities with both docker scout cves and trivy

[CLAassistant]

All committers have signed the CLA.

[AgnesToulet]

Hi! Thanks for the contribution.

CVE-2022-25883 has been fixed by #448.

To fix CVE-2023-0842, putting xml2js in resolutions is a good idea but you should also run yarn install and push the yarn.lock updates. If you update your PR with latest changes from master and the yarn.lock file, I'll give it a 👍 and merge it.

[manjudr]

Thanks @AgnesToulet - I have updated the pull request with yarn.lock file

[manjudr]

After the latest commit - @AgnesToulet

INFO New version 0.24.1 available (installed version is 0.20.0)
    ✓ Image stored for indexing
    ✓ Indexed 1117 packages
    ✓ No vulnerable package detected

[AgnesToulet]

Thanks for updating this PR, I left some comments.

[AgnesToulet]

Suggested change

	"xml2js": "^0.6.2",
	"semver": "^7.5.2",
	"eslint-plugin-jsdoc": "^46.7.0"
	"xml2js": "^0.6.2"

I don't think these are needed anymore.

[AgnesToulet]

This is not necessary to fix vulnerabilities now that we are on node 18. Also, as you can see in this PR that updates the image renderer to use Node 18, upgrading Node is not about just the Docker image, so I think we should keep using the node:18-alpine base image.

[AgnesToulet]

Closing in favor of #473