Merge #454: chore: [#433] upgrade Prometheus to v3.11.2 and document CVE analysis

josecelano · josecelano · commit 43f790ed7509 · 2026-04-15T09:14:37.000+01:00
f8e9730 chore: [#433] align table columns in scans README (Jose Celano) 91fd28a fix: [#433] update v3.5.1 references to v3.11.2 in tests and docs (Jose Celano) 5a2b09a chore: [#433] upgrade Prometheus to v3.11.2 and document CVE analysis (Jose Celano) Pull request description: ## Summary Upgrades Prometheus from `v3.5.1` to `v3.11.2` (latest as of 2026-04-13), eliminating all CRITICAL CVEs. Closes #433 ## Changes - `src/domain/prometheus/config.rs`: bump `PROMETHEUS_DOCKER_IMAGE_TAG` from `v3.5.1` to `v3.11.2` - `docs/security/docker/scans/prometheus.md`: update current status table and add new scan history entry for 2026-04-14 - `docs/issues/433-prometheus-cves.md`: fill in Outcome section with scan results and checked-off steps - `.github/workflows/docker-security-scan.yml`: update example image tag in comment - `project-words.txt`: add `buger`, `cves`, `jsonparser` ## Scan Results ### Version Comparison | Version | HIGH | CRITICAL | | -------- | ---- | -------- | | v3.5.0 | 16 | 4 | | v3.5.1 | 6 | 2 | | v3.11.2 | 4 | **0** ✅ | ### Remaining CVEs in v3.11.2 (all HIGH, no remote attack path) | CVE | Library | Fix | Notes | | -------------- | ---------------- | ------- | -------------------------------- | | CVE-2026-32285 | buger/jsonparser | 1.1.2 | DoS via malformed JSON; internal | | CVE-2026-34040 | moby/docker | 29.3.1 | Auth bypass; Docker-client code | | CVE-2026-39883 | otel/sdk | 1.43.0 | Local PATH hijack; no remote | No OS layer — pure Go binaries, no Alpine/Debian base image. All remaining findings are in upstream Prometheus binary dependencies with no remote attack path. ACKs for top commit: josecelano: ACK f8e9730 Tree-SHA512: b9f69ba5451c7195c41cdadd8c5fa45ccdc28fabf1a81377635a9e62f60ee137b0ad483d895f2f5ca17579f7b8b0c37e25a1e9d35ea69f43edb977b19af3ee0f
diff --git a/.github/workflows/docker-security-scan.yml b/.github/workflows/docker-security-scan.yml
@@ -101,7 +101,7 @@ jobs:
     timeout-minutes: 10
     outputs:
       # JSON array of Docker image references for use in scan matrix
-      # Example: ["torrust/tracker:develop","mysql:8.4","prom/prometheus:v3.5.1","grafana/grafana:13.0.0","caddy:2.10.2"]
+      # Example: ["torrust/tracker:develop","mysql:8.4","prom/prometheus:v3.11.2","grafana/grafana:13.0.0","caddy:2.10.2"]
       images: ${{ steps.extract.outputs.images }}
 
     steps:
diff --git a/docs/issues/433-prometheus-cves.md b/docs/issues/433-prometheus-cves.md
@@ -27,23 +27,51 @@ After PR #436 upgraded Prometheus from `v3.5.0` to `v3.5.1`:
 
 ## Steps
 
-- [ ] Check the latest Prometheus release:
+- [x] Check the latest Prometheus release:
       <https://hub.docker.com/r/prom/prometheus/tags>
-- [ ] Run Trivy against candidate newer tags:
+- [x] Run Trivy against candidate newer tags:
       `trivy image --severity HIGH,CRITICAL prom/prometheus:LATEST_TAG`
-- [ ] Compare results against the v3.5.1 baseline in
+- [x] Compare results against the v3.5.1 baseline in
       `docs/security/docker/scans/prometheus.md`
-- [ ] **If CRITICALs are cleared**: update `src/domain/prometheus/config.rs` and
+- [x] **If CRITICALs are cleared**: update `src/domain/prometheus/config.rs` and
       the CI scan matrix; update the scan doc; post results comment; close #433
 - [ ] **If CRITICALs remain**: post comment documenting which CVEs remain and why
       they cannot be fixed (upstream binary); add revisit note to #433; leave open
 
 ## Outcome
 
-<!-- Fill in after doing the work -->
+- Date: 2026-04-14
+- Latest Prometheus tag tested: `v3.11.2` (released 2026-04-13)
+- Decision: **upgrade to `prom/prometheus:v3.11.2`** — all CRITICALs eliminated
+- Action: updated `src/domain/prometheus/config.rs`; updated scan doc; updated CI matrix comment
+- PR: opened against `main` on branch `433-prometheus-cves`
 
-- Date:
-- Latest Prometheus tag tested:
-- Findings (HIGH / CRITICAL):
-- Decision: upgrade / accept risk / leave open
-- Comment/PR:
+### Scan details — `prom/prometheus:v3.11.2` (Trivy, 2026-04-14)
+
+**Version comparison:**
+
+| Version   | HIGH | CRITICAL |
+| --------- | ---- | -------- |
+| `v3.5.0`  | 16   | 4        |
+| `v3.5.1`  | 6    | 2        |
+| `v3.11.2` | 4    | 0 ✅     |
+
+**Target breakdown (`v3.11.2`):**
+
+| Target           | HIGH | CRITICAL |
+| ---------------- | ---- | -------- |
+| `bin/prometheus` | 3    | 0        |
+| `bin/promtool`   | 1    | 0        |
+
+No OS layer — pure Go binaries, no Alpine/Debian base.
+
+**Remaining CVEs (all HIGH, no remote attack path):**
+
+| CVE            | Library          | Installed | Fixed In | Notes                                     |
+| -------------- | ---------------- | --------- | -------- | ----------------------------------------- |
+| CVE-2026-32285 | buger/jsonparser | v1.1.1    | 1.1.2    | DoS via malformed JSON; internal use only |
+| CVE-2026-34040 | moby/docker      | v28.5.2   | 29.3.1   | Auth bypass; Docker-client code path      |
+| CVE-2026-39883 | otel/sdk         | v1.42.0   | 1.43.0   | Local PATH hijack; no remote path         |
+
+**Overall risk**: All 4 remaining findings are local-only. No remote attack path.
+Upgrade to v3.11.2 is the recommended action and was applied.
diff --git a/docs/security/docker/scans/README.md b/docs/security/docker/scans/README.md
@@ -4,16 +4,16 @@ This directory contains historical security scan results for Docker images used
 
 ## Current Status Summary
 
-| Image                                  | Version | HIGH | CRITICAL | Status                    | Last Scan   | Details                                         |
-| -------------------------------------- | ------- | ---- | -------- | ------------------------- | ----------- | ----------------------------------------------- |
-| `torrust/tracker-deployer`             | trixie  | 44   | 1        | ⚠️ Partial remediation    | Apr 8, 2026 | [View](torrust-tracker-deployer.md)             |
-| `torrust/tracker-backup`               | trixie  | 6    | 0        | ℹ️ Remediation no change  | Apr 8, 2026 | [View](torrust-tracker-backup.md)               |
-| `torrust/tracker-ssh-server`           | 3.23.3  | 0    | 0        | ✅ Remediated (vuln scan) | Apr 8, 2026 | [View](torrust-ssh-server.md)                   |
-| `torrust/tracker-provisioned-instance` | 24.04   | 0    | 0        | ✅ Remediated (vuln scan) | Apr 8, 2026 | [View](torrust-tracker-provisioned-instance.md) |
-| `caddy`                                | 2.10.2  | 14   | 4        | ⚠️ Partial remediation    | Apr 8, 2026 | [View](caddy.md)                                |
-| `prom/prometheus`                      | v3.5.1  | 6    | 4        | ⚠️ Partial remediation    | Apr 8, 2026 | [View](prometheus.md)                           |
-| `grafana/grafana`                      | 12.4.2  | 4    | 0        | ⚠️ Partial remediation    | Apr 8, 2026 | [View](grafana.md)                              |
-| `mysql`                                | 8.4     | 7    | 1        | ⚠️ Monitored              | Apr 8, 2026 | [View](mysql.md)                                |
+| Image                                  | Version | HIGH | CRITICAL | Status                    | Last Scan    | Details                                         |
+| -------------------------------------- | ------- | ---- | -------- | ------------------------- | ------------ | ----------------------------------------------- |
+| `torrust/tracker-deployer`             | trixie  | 44   | 1        | ⚠️ Partial remediation    | Apr 8, 2026  | [View](torrust-tracker-deployer.md)             |
+| `torrust/tracker-backup`               | trixie  | 6    | 0        | ℹ️ Remediation no change  | Apr 8, 2026  | [View](torrust-tracker-backup.md)               |
+| `torrust/tracker-ssh-server`           | 3.23.3  | 0    | 0        | ✅ Remediated (vuln scan) | Apr 8, 2026  | [View](torrust-ssh-server.md)                   |
+| `torrust/tracker-provisioned-instance` | 24.04   | 0    | 0        | ✅ Remediated (vuln scan) | Apr 8, 2026  | [View](torrust-tracker-provisioned-instance.md) |
+| `caddy`                                | 2.10.2  | 14   | 4        | ⚠️ Partial remediation    | Apr 8, 2026  | [View](caddy.md)                                |
+| `prom/prometheus`                      | v3.11.2 | 4    | 0        | ✅ Remediated             | Apr 14, 2026 | [View](prometheus.md)                           |
+| `grafana/grafana`                      | 12.4.2  | 4    | 0        | ⚠️ Partial remediation    | Apr 8, 2026  | [View](grafana.md)                              |
+| `mysql`                                | 8.4     | 7    | 1        | ⚠️ Monitored              | Apr 8, 2026  | [View](mysql.md)                                |
 
 **Overall Status**: ⚠️ **CVE database update detected** - Most images still show increased vulnerability counts from previous scans (Feb-Dec 2025). Deployer has a first remediation pass applied (49 HIGH -> 44 HIGH, with 1 CRITICAL still open).
 
diff --git a/docs/security/docker/scans/prometheus.md b/docs/security/docker/scans/prometheus.md
@@ -4,12 +4,56 @@ Security scan history for the `prom/prometheus` Docker image.
 
 ## Current Status
 
-| Version | HIGH | CRITICAL | Status                               | Last Scan   | Support EOL  |
-| ------- | ---- | -------- | ------------------------------------ | ----------- | ------------ |
-| v3.5.1  | 6    | 4        | ⚠️ Partial improvement after upgrade | Apr 8, 2026 | Jul 31, 2026 |
+| Version | HIGH | CRITICAL | Status                        | Last Scan    | Support EOL |
+| ------- | ---- | -------- | ----------------------------- | ------------ | ----------- |
+| v3.11.2 | 4    | 0        | ✅ No CRITICALs after upgrade | Apr 14, 2026 | TBD         |
 
 ## Scan History
 
+### April 14, 2026 - Remediation Pass 2 (Issue #433)
+
+**Image**: `prom/prometheus:v3.11.2`
+**Trivy Version**: 0.68.2
+**Scan Mode**: `--scanners vuln --severity HIGH,CRITICAL`
+**Status**: ✅ **4 vulnerabilities** (4 HIGH, 0 CRITICAL)
+
+#### Summary
+
+Upgraded Prometheus from `v3.5.1` to `v3.11.2` (latest as of 2026-04-13). All
+CRITICAL vulnerabilities eliminated. Four HIGH findings remain in upstream
+binary dependencies; all are local-only (no remote attack path).
+
+Vulnerability comparison:
+
+| Version | HIGH | CRITICAL |
+| ------- | ---- | -------- |
+| v3.5.0  | 16   | 4        |
+| v3.5.1  | 6    | 2        |
+| v3.11.2 | 4    | 0        |
+
+#### Target Breakdown (`v3.11.2`)
+
+| Target           | HIGH | CRITICAL |
+| ---------------- | ---- | -------- |
+| `bin/prometheus` | 3    | 0        |
+| `bin/promtool`   | 1    | 0        |
+
+No OS layer — pure Go binaries, no Alpine/Debian base image.
+
+#### Remaining CVEs
+
+| CVE            | Library          | Installed | Fixed In | Severity | Notes                                     |
+| -------------- | ---------------- | --------- | -------- | -------- | ----------------------------------------- |
+| CVE-2026-32285 | buger/jsonparser | v1.1.1    | 1.1.2    | HIGH     | DoS via malformed JSON; internal use only |
+| CVE-2026-34040 | moby/docker      | v28.5.2   | 29.3.1   | HIGH     | Auth bypass; Docker-client code path      |
+| CVE-2026-39883 | otel/sdk         | v1.42.0   | 1.43.0   | HIGH     | Local PATH hijack; no remote path         |
+
+All remaining findings are in upstream Prometheus binary dependencies. No
+remote attack path exists for any of the three CVE types, and fixes are
+pending upstream Prometheus releases.
+
+---
+
 ### April 8, 2026 - Remediation Pass 1 (Issue #428)
 
 **Image**: `prom/prometheus:v3.5.1`
diff --git a/project-words.txt b/project-words.txt
@@ -164,6 +164,7 @@ bootcmd
 browsable
 btih
 btrfs
+buger
 buildx
 cdmon
 celano
@@ -199,6 +200,7 @@ crontabs
 cursorignore
 custompass
 customuser
+cves
 cyberneering
 dcron
 dearmor
@@ -280,6 +282,7 @@ josecelano
 journalctl
 jsonlint
 jsonls
+jsonparser
 keepalive
 keygen
 keypair
diff --git a/src/application/command_handlers/show/info/docker_images.rs b/src/application/command_handlers/show/info/docker_images.rs
@@ -12,7 +12,7 @@ pub struct DockerImagesInfo {
     /// `MySQL` Docker image reference (e.g. `mysql:8.4`), present when `MySQL` is configured
     pub mysql: Option<String>,
 
-    /// Prometheus Docker image reference (e.g. `prom/prometheus:v3.5.1`), present when configured
+    /// Prometheus Docker image reference (e.g. `prom/prometheus:v3.11.2`), present when configured
     pub prometheus: Option<String>,
 
     /// Grafana Docker image reference (e.g. `grafana/grafana:12.4.2`), present when configured
diff --git a/src/domain/prometheus/config.rs b/src/domain/prometheus/config.rs
@@ -21,7 +21,7 @@ const DEFAULT_SCRAPE_INTERVAL_SECS: u32 = 15;
 pub const PROMETHEUS_DOCKER_IMAGE_REPOSITORY: &str = "prom/prometheus";
 
 /// Docker image tag for the Prometheus container
-pub const PROMETHEUS_DOCKER_IMAGE_TAG: &str = "v3.5.1";
+pub const PROMETHEUS_DOCKER_IMAGE_TAG: &str = "v3.11.2";
 
 /// Prometheus metrics collection configuration
 ///
@@ -95,7 +95,7 @@ impl PrometheusConfig {
     /// use torrust_tracker_deployer_lib::domain::prometheus::PrometheusConfig;
     ///
     /// let image = PrometheusConfig::docker_image();
-    /// assert_eq!(image.full_reference(), "prom/prometheus:v3.5.1");
+    /// assert_eq!(image.full_reference(), "prom/prometheus:v3.11.2");
     /// ```
     #[must_use]
     pub fn docker_image() -> DockerImage {
diff --git a/src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs b/src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs
@@ -407,8 +407,8 @@ mod tests {
             "Rendered output should contain prometheus service"
         );
         assert!(
-            rendered_content.contains("image: prom/prometheus:v3.5.1"),
-            "Should use Prometheus v3.5.0 image"
+            rendered_content.contains("image: prom/prometheus:v3.11.2"),
+            "Should use Prometheus v3.11.2 image"
         );
         assert!(
             rendered_content.contains("container_name: prometheus"),
@@ -466,7 +466,7 @@ mod tests {
 
         // Verify Prometheus service is NOT present
         assert!(
-            !rendered_content.contains("image: prom/prometheus:v3.5.1"),
+            !rendered_content.contains("image: prom/prometheus:v3.11.2"),
             "Should not contain Prometheus service when config absent"
         );
         assert!(
diff --git a/src/infrastructure/templating/docker_compose/template/wrappers/docker_compose/context/prometheus.rs b/src/infrastructure/templating/docker_compose/template/wrappers/docker_compose/context/prometheus.rs
@@ -18,7 +18,7 @@ use super::service_topology::ServiceTopology;
 /// Uses `ServiceTopology` to share the common topology structure with other services.
 #[derive(Serialize, Debug, Clone)]
 pub struct PrometheusServiceContext {
-    /// Docker image reference (e.g. `prom/prometheus:v3.5.1`)
+    /// Docker image reference (e.g. `prom/prometheus:v3.11.2`)
     pub image: String,
 
     /// Service topology (ports and networks)
