Skip to content

Add Pixie hydra and kratos images to fix security vulns (upgrade Go and vuln deps) #2244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ddelnano merged 3 commits into from
Jul 28, 2025
Merged

Add Pixie hydra and kratos images to fix security vulns (upgrade Go and vuln deps) #2244

ddelnano merged 3 commits into from
Jul 28, 2025

Conversation

@ddelnano
Copy link
Member

@ddelnano ddelnano commented Jul 24, 2025
edited
Loading

Summary: Add Pixie hydra and kratos images to fix security vulns (upgrade Go and vuln deps)

Ory's OSS projects are released every ~6 months. This means non Enterprise customers are stuck running images built with old go versions and out of date dependencies.

I've split out adding these images with the change to use them since the upgrade itself requires quite a few changes.

Relevant Issues: N/A

Type of change: /kind dependencies

Test Plan: Skaffold'ed a cloud running these versions and verified auth functionality works e2e

  • Verified images have the critical and high vulnerabilities addressed
trivy scan 
$ trivy image --scanners vuln ghcr.io/pixie-io/hydra:2.3.0-scratch@sha256:cc4503bc8d0f97624e3d6fa004ebda13ef26407b5cc1284191f2958fa93d312c
2025-07-24T18:40:46.806Z        INFO    Vulnerability scanning is enabled
2025-07-24T18:40:48.552Z        INFO    Detected OS: debian
2025-07-24T18:40:48.552Z        INFO    Detecting Debian vulnerabilities...
2025-07-24T18:40:48.552Z        INFO    Number of language-specific files: 1
2025-07-24T18:40:48.552Z        INFO    Detecting gobinary vulnerabilities...

ghcr.io/pixie-io/hydra:2.3.0-scratch@sha256:cc4503bc8d0f97624e3d6fa004ebda13ef26407b5cc1284191f2958fa93d312c (debian 12.11)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/hydra (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌───────────────────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│            Library            │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl   │ GHSA-2x5j-vhc8-9cwm │ LOW      │ v1.3.7            │ 1.6.1         │ CIRCL-Fourq: Missing and wrong validation can lead to      │
│                               │                     │          │                   │               │ incorrect results                                          │
│                               │                     │          │                   │               │ https://github.com/advisories/GHSA-2x5j-vhc8-9cwm          │
├───────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v3 │ CVE-2025-27144      │ MEDIUM   │ v3.0.3            │ 3.0.4         │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │
│                               │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2025-27144                 │
├───────────────────────────────┼─────────────────────┤          ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/net              │ CVE-2025-22870      │          │ v0.33.0           │ 0.36.0        │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:   │
│                               │                     │          │                   │               │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net  │
│                               │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22870                 │
│                               ├─────────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-22872      │          │                   │ 0.38.0        │ golang.org/x/net/html: Incorrect Neutralization of Input   │
│                               │                     │          │                   │               │ During Web Page Generation in x/net in...                  │
│                               │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22872                 │
└───────────────────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

$ trivy image --scanners vuln ghcr.io/pixie-io/kratos:1.3.1-scratch@sha256:af0776882c10c3e9137006511c3d4a7aaab2598e75bd86f5692a4a9759da5054
2025-07-24T18:38:18.138Z        INFO    Vulnerability scanning is enabled
2025-07-24T18:38:20.123Z        INFO    Detected OS: debian
2025-07-24T18:38:20.123Z        INFO    Detecting Debian vulnerabilities...
2025-07-24T18:38:20.123Z        INFO    Number of language-specific files: 1
2025-07-24T18:38:20.123Z        INFO    Detecting gobinary vulnerabilities...

ghcr.io/pixie-io/kratos:1.3.1-scratch@sha256:af0776882c10c3e9137006511c3d4a7aaab2598e75bd86f5692a4a9759da5054 (debian 12.11)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/kratos (gobinary)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 0, CRITICAL: 0)

┌───────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│            Library            │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v3 │ CVE-2025-27144 │ MEDIUM   │ v3.0.3            │ 3.0.4         │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │
│                               │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2025-27144                 │
├───────────────────────────────┤                │          ├───────────────────┼───────────────┤                                                            │
│ github.com/go-jose/go-jose/v4 │                │          │ v4.0.2            │ 4.0.5         │                                                            │
│                               │                │          │                   │               │                                                            │
├───────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/golang/glog        │ CVE-2024-45339 │          │ v1.2.1            │ 1.2.4         │ github.com/golang/glog: Vulnerability when creating log    │
│                               │                │          │                   │               │ files in github.com/golang/glog                            │
│                               │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45339                 │
├───────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/net              │ CVE-2025-22870 │          │ v0.27.0           │ 0.36.0        │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:   │
│                               │                │          │                   │               │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net  │
│                               │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22870                 │
│                               ├────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-22872 │          │                   │ 0.38.0        │ golang.org/x/net/html: Incorrect Neutralization of Input   │
│                               │                │          │                   │               │ During Web Page Generation in x/net in...                  │
│                               │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22872                 │
└───────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

@ddelnano ddelnano requested review from a team as code owners July 24, 2025 18:45
@ddelnano ddelnano force-pushed the ddelnano/add-vuln-free-ory-images branch from 050b5ee to c3e5682 Compare July 24, 2025 19:29
@ddelnano
Add Pixie hydra and kratos images to fix security vulns (upgrade Go a…
1757708 
…nd vuln deps)

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
@ddelnano ddelnano force-pushed the ddelnano/add-vuln-free-ory-images branch from c3e5682 to 1757708 Compare July 24, 2025 19:30
@ddelnano
Fix linting
157dd31 
Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
vihangm
vihangm reviewed Jul 25, 2025
View reviewed changes
@ddelnano
Remove database migration hack in favor of separate service databases
6f4fdf6 
Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
@ddelnano ddelnano merged commit 1744da1 into pixie-io:main Jul 28, 2025
20 checks passed
@ddelnano ddelnano deleted the ddelnano/add-vuln-free-ory-images branch July 28, 2025 05:52
@ddelnano ddelnano mentioned this pull request Aug 18, 2025
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vihangm vihangm vihangm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ddelnano @vihangm