chore: [#433] upgrade Prometheus to v3.11.2 and document CVE analysis

josecelano · josecelano · commit 5a2b09a114d1 · 2026-04-15T07:27:27.000+01:00
diff --git a/.github/workflows/docker-security-scan.yml b/.github/workflows/docker-security-scan.yml
@@ -101,7 +101,7 @@ jobs:
     timeout-minutes: 10
     outputs:
       # JSON array of Docker image references for use in scan matrix
-      # Example: ["torrust/tracker:develop","mysql:8.4","prom/prometheus:v3.5.1","grafana/grafana:13.0.0","caddy:2.10.2"]
+      # Example: ["torrust/tracker:develop","mysql:8.4","prom/prometheus:v3.11.2","grafana/grafana:13.0.0","caddy:2.10.2"]
       images: ${{ steps.extract.outputs.images }}
 
     steps:
diff --git a/docs/issues/433-prometheus-cves.md b/docs/issues/433-prometheus-cves.md
@@ -27,23 +27,51 @@ After PR #436 upgraded Prometheus from `v3.5.0` to `v3.5.1`:
 
 ## Steps
 
-- [ ] Check the latest Prometheus release:
+- [x] Check the latest Prometheus release:
       <https://hub.docker.com/r/prom/prometheus/tags>
-- [ ] Run Trivy against candidate newer tags:
+- [x] Run Trivy against candidate newer tags:
       `trivy image --severity HIGH,CRITICAL prom/prometheus:LATEST_TAG`
-- [ ] Compare results against the v3.5.1 baseline in
+- [x] Compare results against the v3.5.1 baseline in
       `docs/security/docker/scans/prometheus.md`
-- [ ] **If CRITICALs are cleared**: update `src/domain/prometheus/config.rs` and
+- [x] **If CRITICALs are cleared**: update `src/domain/prometheus/config.rs` and
       the CI scan matrix; update the scan doc; post results comment; close #433
 - [ ] **If CRITICALs remain**: post comment documenting which CVEs remain and why
       they cannot be fixed (upstream binary); add revisit note to #433; leave open
 
 ## Outcome
 
-<!-- Fill in after doing the work -->
+- Date: 2026-04-14
+- Latest Prometheus tag tested: `v3.11.2` (released 2026-04-13)
+- Decision: **upgrade to `prom/prometheus:v3.11.2`** — all CRITICALs eliminated
+- Action: updated `src/domain/prometheus/config.rs`; updated scan doc; updated CI matrix comment
+- PR: opened against `main` on branch `433-prometheus-cves`
 
-- Date:
-- Latest Prometheus tag tested:
-- Findings (HIGH / CRITICAL):
-- Decision: upgrade / accept risk / leave open
-- Comment/PR:
+### Scan details — `prom/prometheus:v3.11.2` (Trivy, 2026-04-14)
+
+**Version comparison:**
+
+| Version   | HIGH | CRITICAL |
+| --------- | ---- | -------- |
+| `v3.5.0`  | 16   | 4        |
+| `v3.5.1`  | 6    | 2        |
+| `v3.11.2` | 4    | 0 ✅     |
+
+**Target breakdown (`v3.11.2`):**
+
+| Target           | HIGH | CRITICAL |
+| ---------------- | ---- | -------- |
+| `bin/prometheus` | 3    | 0        |
+| `bin/promtool`   | 1    | 0        |
+
+No OS layer — pure Go binaries, no Alpine/Debian base.
+
+**Remaining CVEs (all HIGH, no remote attack path):**
+
+| CVE            | Library          | Installed | Fixed In | Notes                                     |
+| -------------- | ---------------- | --------- | -------- | ----------------------------------------- |
+| CVE-2026-32285 | buger/jsonparser | v1.1.1    | 1.1.2    | DoS via malformed JSON; internal use only |
+| CVE-2026-34040 | moby/docker      | v28.5.2   | 29.3.1   | Auth bypass; Docker-client code path      |
+| CVE-2026-39883 | otel/sdk         | v1.42.0   | 1.43.0   | Local PATH hijack; no remote path         |
+
+**Overall risk**: All 4 remaining findings are local-only. No remote attack path.
+Upgrade to v3.11.2 is the recommended action and was applied.
diff --git a/docs/security/docker/scans/prometheus.md b/docs/security/docker/scans/prometheus.md
@@ -4,12 +4,56 @@ Security scan history for the `prom/prometheus` Docker image.
 
 ## Current Status
 
-| Version | HIGH | CRITICAL | Status                               | Last Scan   | Support EOL  |
-| ------- | ---- | -------- | ------------------------------------ | ----------- | ------------ |
-| v3.5.1  | 6    | 4        | ⚠️ Partial improvement after upgrade | Apr 8, 2026 | Jul 31, 2026 |
+| Version | HIGH | CRITICAL | Status                        | Last Scan    | Support EOL |
+| ------- | ---- | -------- | ----------------------------- | ------------ | ----------- |
+| v3.11.2 | 4    | 0        | ✅ No CRITICALs after upgrade | Apr 14, 2026 | TBD         |
 
 ## Scan History
 
+### April 14, 2026 - Remediation Pass 2 (Issue #433)
+
+**Image**: `prom/prometheus:v3.11.2`
+**Trivy Version**: 0.68.2
+**Scan Mode**: `--scanners vuln --severity HIGH,CRITICAL`
+**Status**: ✅ **4 vulnerabilities** (4 HIGH, 0 CRITICAL)
+
+#### Summary
+
+Upgraded Prometheus from `v3.5.1` to `v3.11.2` (latest as of 2026-04-13). All
+CRITICAL vulnerabilities eliminated. Four HIGH findings remain in upstream
+binary dependencies; all are local-only (no remote attack path).
+
+Vulnerability comparison:
+
+| Version | HIGH | CRITICAL |
+| ------- | ---- | -------- |
+| v3.5.0  | 16   | 4        |
+| v3.5.1  | 6    | 2        |
+| v3.11.2 | 4    | 0        |
+
+#### Target Breakdown (`v3.11.2`)
+
+| Target           | HIGH | CRITICAL |
+| ---------------- | ---- | -------- |
+| `bin/prometheus` | 3    | 0        |
+| `bin/promtool`   | 1    | 0        |
+
+No OS layer — pure Go binaries, no Alpine/Debian base image.
+
+#### Remaining CVEs
+
+| CVE            | Library          | Installed | Fixed In | Severity | Notes                                     |
+| -------------- | ---------------- | --------- | -------- | -------- | ----------------------------------------- |
+| CVE-2026-32285 | buger/jsonparser | v1.1.1    | 1.1.2    | HIGH     | DoS via malformed JSON; internal use only |
+| CVE-2026-34040 | moby/docker      | v28.5.2   | 29.3.1   | HIGH     | Auth bypass; Docker-client code path      |
+| CVE-2026-39883 | otel/sdk         | v1.42.0   | 1.43.0   | HIGH     | Local PATH hijack; no remote path         |
+
+All remaining findings are in upstream Prometheus binary dependencies. No
+remote attack path exists for any of the three CVE types, and fixes are
+pending upstream Prometheus releases.
+
+---
+
 ### April 8, 2026 - Remediation Pass 1 (Issue #428)
 
 **Image**: `prom/prometheus:v3.5.1`
diff --git a/project-words.txt b/project-words.txt
@@ -164,6 +164,7 @@ bootcmd
 browsable
 btih
 btrfs
+buger
 buildx
 cdmon
 celano
@@ -199,6 +200,7 @@ crontabs
 cursorignore
 custompass
 customuser
+cves
 cyberneering
 dcron
 dearmor
@@ -280,6 +282,7 @@ josecelano
 journalctl
 jsonlint
 jsonls
+jsonparser
 keepalive
 keygen
 keypair
diff --git a/src/domain/prometheus/config.rs b/src/domain/prometheus/config.rs
@@ -21,7 +21,7 @@ const DEFAULT_SCRAPE_INTERVAL_SECS: u32 = 15;
 pub const PROMETHEUS_DOCKER_IMAGE_REPOSITORY: &str = "prom/prometheus";
 
 /// Docker image tag for the Prometheus container
-pub const PROMETHEUS_DOCKER_IMAGE_TAG: &str = "v3.5.1";
+pub const PROMETHEUS_DOCKER_IMAGE_TAG: &str = "v3.11.2";
 
 /// Prometheus metrics collection configuration
 ///
@@ -95,7 +95,7 @@ impl PrometheusConfig {
     /// use torrust_tracker_deployer_lib::domain::prometheus::PrometheusConfig;
     ///
     /// let image = PrometheusConfig::docker_image();
-    /// assert_eq!(image.full_reference(), "prom/prometheus:v3.5.1");
+    /// assert_eq!(image.full_reference(), "prom/prometheus:v3.11.2");
     /// ```
     #[must_use]
     pub fn docker_image() -> DockerImage {
