Security: address CVE-2024-32002, CVE-2024-454092 and CVE-2024-454091 in 0.17.0

[cmontemuino]

Our scanner (Trivy) is showing the following critical vulnerabilities:

Vulnerability information: 
+-------------+-----------+----------+-------------------+--------------------+-------------------------------------------------------------+--------------------------------------------+
|     Type    |  Library  | Severity | Installed Version |   Fixed Version    |                           Summary                           |                More Details                |
+-------------+-----------+----------+-------------------+--------------------+-------------------------------------------------------------+--------------------------------------------+
| debian 12.6 |    git    | CRITICAL |    1:2.39.2-1.1   | 1:2.39.5-0+deb12u1 |                  git: Recursive clones RCE                  | https://avd.aquasec.com/nvd/cve-2024-32002 |
| debian 12.6 |  git-man  | CRITICAL |    1:2.39.2-1.1   | 1:2.39.5-0+deb12u1 |                  git: Recursive clones RCE                  | https://avd.aquasec.com/nvd/cve-2024-32002 |
| debian 12.6 | libexpat1 | CRITICAL |      2.5.0-1      |  2.5.0-1+deb12u1   | libexpat: Negative Length Parsing Vulnerability in libexpat | https://avd.aquasec.com/nvd/cve-2024-45490 |
| debian 12.6 | libexpat1 | CRITICAL |      2.5.0-1      |  2.5.0-1+deb12u1   |           libexpat: Integer Overflow or Wraparound          | https://avd.aquasec.com/nvd/cve-2024-45491 |
| debian 12.6 | libexpat1 | CRITICAL |      2.5.0-1      |  2.5.0-1+deb12u1   |                  libexpat: integer overflow                 | https://avd.aquasec.com/nvd/cve-2024-45492 |
+-------------+-----------+----------+-------------------+--------------------+-------------------------------------------------------------+--------------------------------------------+

Proposed Solution

I think it's just a matter of rebuilding the existing image:

docker run --rm -ti robustadev/robusta-runner:0.17.0 bash
root@b0c8c3d205b6:/app# apt-get update
# ...
apt-cache policy git git-man libexpat1
git:
  Installed: 1:2.39.2-1.1
  Candidate: 1:2.39.5-0+deb12u1
  Version table:
     1:2.39.5-0+deb12u1 500
        500 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages
 *** 1:2.39.2-1.1 500
        500 http://deb.debian.org/debian bookworm/main arm64 Packages
        100 /var/lib/dpkg/status
git-man:
  Installed: 1:2.39.2-1.1
  Candidate: 1:2.39.5-0+deb12u1
  Version table:
     1:2.39.5-0+deb12u1 500
        500 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages
 *** 1:2.39.2-1.1 500
        500 http://deb.debian.org/debian bookworm/main arm64 Packages
        100 /var/lib/dpkg/status
libexpat1:
  Installed: 2.5.0-1
  Candidate: 2.5.0-1+deb12u1
  Version table:
     2.5.0-1+deb12u1 500
        500 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages
 *** 2.5.0-1 500
        500 http://deb.debian.org/debian bookworm/main arm64 Packages
        100 /var/lib/dpkg/status

[github-actions]

Hi 👋, thanks for opening an issue! Please note, it may take some time for us to respond, but we'll get back to you as soon as we can!

• 💬 Slack Community: Join Robusta team and other contributors on Slack here.
• 📖 Docs: Find our documentation here.
• 🎥 YouTube Channel: Watch our videos here.

[arikalon1]

Thanks for reporting it @cmontemuino

We're releasing a new version in the next few days (hopefully today)

[Avi-Robusta]

Hey @cmontemuino,
We just released a new version 0.18.0 with those cves patched.
Thanks for reporting.