Upgrade container image with included dependencies
rwenz3l opened this issue · 7 comments
As mentioned in #79, I found that the containers are quite old and use Debian 11.7 and Go 1.20.6.
It would be very much appreciated if you could upgrade the container image itself, as well as the used toolchain for it, mainly for security reasons.
Go1.22 is now released, which marks 1.20 as no longer supported. I'm sure there is also a bunch of dependencies used with the connect-server, which may contain vulnerabilities.
The docker images appears to be using a debian base-image at version 11.7, 11.8 was released in October 2023.
@jpcoenen @ag-adampike @verkaufer any chance someone from the 1password team can take a look at this!?
I scanned the docker image with trivy and discovered this
1password/connect-api:1.7.2 (debian 11.7)
Total: 29 (UNKNOWN: 0, LOW: 11, MEDIUM: 15, HIGH: 3, CRITICAL: 0)
bin/connect-api (gobinary)
Total: 21 (UNKNOWN: 0, LOW: 0, MEDIUM: 16, HIGH: 4, CRITICAL: 1)
1password/connect-sync:1.7.2 (debian 11.7)
Total: 29 (UNKNOWN: 0, LOW: 11, MEDIUM: 15, HIGH: 3, CRITICAL: 0)
bin/connect-sync (gobinary)
Total: 20 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 4, CRITICAL: 1)
There are quite a bit of these that could be resolved by updating deps, also I don't see why these containers cannot use scratch or distroless containers instead of debian which would lessen the attack surface.
Will the 1Password team ever address these vulnerabilities?
There has been no activity in this Repository for quite a while. I feel like the people at 1Password are simply focusing on other things. I'm not sure how many people have this deployed, but IMO it's a security risk running this as it is today.
I stopped bothering with the connector due to the inactivity and use vault instead.
Yeah I got that impression as well. It's a bummer they ignore this and are flakey supporting their OSS projects overall. Hopefully something changes and they have time to focus on their public facing projects someday.
Hey folks! 👋🏻
Thank you for your patience and for expressing your concerns.
I'm happy to announce that we've just released Connect 1.7.3, which updates the dependencies and the images used to build Connect.
Let me know if you have any other questions.