docs: add security issue review specs for #429, #431-#435, #443, #444

Author: josecelano

docs/issues/429-deployer-cves.md

@@ -0,0 +1,69 @@
+# Issue #429: Deployer Image CVEs after Remediation Pass 1
+
+**GitHub**: <https://github.com/torrust/torrust-tracker-deployer/issues/429>
+**Image**: `torrust/tracker-deployer:local`
+**Dockerfile**: `docker/deployer/Dockerfile`
+
+---
+
+## Context
+
+After PR #436 removed `gnupg` from the runtime layer:
+
+| Pass               | HIGH | CRITICAL |
+| ------------------ | ---- | -------- |
+| Before remediation | 49   | 1        |
+| After pass 1       | 44   | 1        |
+
+Remaining findings split into two areas:
+
+1. **Debian 13.4 (trixie) base packages** — HIGH, blocked on upstream patches
+2. **OpenTofu binary** — 2 HIGH + 1 CRITICAL, blocked on OpenTofu release
+
+## Decision
+
+**Re-scan and check OpenTofu release, then decide**:
+
+- If a newer OpenTofu release clears the CRITICAL: update the pinned version,
+  rebuild, re-scan, update scan doc, close #429
+- If Debian packages are now patched: `docker build --no-cache` will pick them up;
+  re-scan, update scan doc, re-evaluate #429
+- If nothing has changed: post comment documenting current state and accepted risk;
+  leave open with revisit note
+
+## Steps
+
+- [ ] Check current OpenTofu version pinned in the Dockerfile:
+      `grep -i opentofu docker/deployer/Dockerfile`
+- [ ] Check latest OpenTofu release:
+      <https://github.com/opentofu/opentofu/releases>
+- [ ] Rebuild and re-scan:
+
+  ```bash
+  docker build --no-cache -t torrust/tracker-deployer:local docker/deployer/
+  trivy image --severity HIGH,CRITICAL torrust/tracker-deployer:local
+  ```
+
+- [ ] Compare against the pass-1 baseline in
+      `docs/security/docker/scans/torrust-tracker-deployer.md`
+- [ ] For Debian base package CVEs, check fix availability:
+      <https://security-tracker.debian.org/tracker/>
+- [ ] Update `docs/security/docker/scans/torrust-tracker-deployer.md` with new
+      scan results
+- [ ] **If CRITICAL is cleared**: update Dockerfile OpenTofu version; post results
+      comment; close #429
+- [ ] **If only Debian packages improved**: post results comment; re-evaluate open
+      status
+- [ ] **If no change**: post comment with accepted risk rationale for remaining
+      CVEs; label `accepted-risk`; leave open with revisit note
+
+## Outcome
+
+<!-- Fill in after doing the work -->
+
+- Date:
+- Current OpenTofu version in Dockerfile:
+- Latest OpenTofu release:
+- Findings after rebuild (HIGH / CRITICAL):
+- Decision: fixed / partial / accepted risk
+- Comment/PR:

docs/issues/431-backup-cves.md

@@ -0,0 +1,53 @@
+# Issue #431: Backup Image CVEs after Remediation Pass 1
+
+**GitHub**: <https://github.com/torrust/torrust-tracker-deployer/issues/431>
+**Image**: `torrust/tracker-backup:local`
+**Dockerfile**: `docker/backup/Dockerfile`
+
+---
+
+## Context
+
+After PR #436 added `apt-get upgrade -y` to the base layer, findings did not change
+(upstream Debian packages were not patched at the time):
+
+| Pass               | HIGH | CRITICAL |
+| ------------------ | ---- | -------- |
+| Before remediation | 6    | 0        |
+| After pass 1       | 6    | 0        |
+
+All 6 HIGH are Debian 13.4 (trixie) base package CVEs.
+
+## Decision
+
+**Rebuild and re-scan to check if Debian packages are now patched, then decide**:
+
+- If package fixes are now available: `docker build --no-cache` will pick them up
+  automatically via `apt-get upgrade -y`; verify and close #431
+- If still unpatched: post comment with current scan confirming same count, document
+  accepted risk, close #431
+
+## Steps
+
+- [ ] Rebuild the image from scratch:
+      `docker build --no-cache -t torrust/tracker-backup:local docker/backup/`
+- [ ] Re-scan: `trivy image --severity HIGH,CRITICAL torrust/tracker-backup:local`
+- [ ] Compare against the pass-1 baseline in
+      `docs/security/docker/scans/torrust-tracker-backup.md`
+- [ ] For each remaining CVE, check fix availability:
+      <https://security-tracker.debian.org/tracker/>
+- [ ] Update `docs/security/docker/scans/torrust-tracker-backup.md` with the new
+      scan results
+- [ ] **If HIGH count dropped**: post comment with before/after results; close #431
+- [ ] **If no change**: post comment documenting that Debian upstream has not yet
+      patched these CVEs with a revisit note; close #431
+
+## Outcome
+
+<!-- Fill in after doing the work -->
+
+- Date:
+- Findings after rebuild (HIGH / CRITICAL):
+- Debian packages patched: yes / no
+- Decision: resolved / accepted risk
+- Comment/PR:

docs/issues/432-caddy-cves.md

@@ -0,0 +1,50 @@
+# Issue #432: Caddy CVEs after upgrade to 2.10.2
+
+**GitHub**: <https://github.com/torrust/torrust-tracker-deployer/issues/432>
+**Image**: `caddy:2.10.2`
+**Template**: `templates/docker-compose/docker-compose.yml.tera`
+
+---
+
+## Context
+
+After PR #436 upgraded Caddy from `2.10` to `2.10.2`:
+
+| Version  | HIGH | CRITICAL |
+| -------- | ---- | -------- |
+| `2.10`   | 18   | 6        |
+| `2.10.2` | 14   | 4        |
+
+4 CRITICAL remain in upstream Caddy binary dependencies.
+
+## Decision
+
+**Re-scan with latest Caddy tag, then decide**:
+
+- If a newer tag clears CRITICALs: upgrade, update scan doc, close #432
+- If not: post comment with scan results, document accepted risk, leave open with
+  revisit note
+
+## Steps
+
+- [ ] Check the latest Caddy release:
+      <https://hub.docker.com/_/caddy> and <https://github.com/caddyserver/caddy/releases>
+- [ ] Run Trivy against the latest tag:
+      `trivy image --severity HIGH,CRITICAL caddy:LATEST_TAG`
+- [ ] Compare results against the 2.10.2 baseline in
+      `docs/security/docker/scans/caddy.md`
+- [ ] **If CRITICALs are cleared (or HIGH count drops meaningfully)**: update
+      `templates/docker-compose/docker-compose.yml.tera` and the CI scan matrix;
+      update the scan doc; post results comment; close #432
+- [ ] **If CRITICALs remain**: post comment documenting which CVEs remain and why
+      they cannot be fixed (upstream binary); add revisit note to #432; leave open
+
+## Outcome
+
+<!-- Fill in after doing the work -->
+
+- Date:
+- Latest Caddy tag tested:
+- Findings (HIGH / CRITICAL):
+- Decision: upgrade / accept risk / leave open
+- Comment/PR:

docs/issues/433-prometheus-cves.md

@@ -0,0 +1,49 @@
+# Issue #433: Prometheus CVEs after upgrade to v3.5.1
+
+**GitHub**: <https://github.com/torrust/torrust-tracker-deployer/issues/433>
+**Image**: `prom/prometheus:v3.5.1`
+**Default set in**: `src/domain/prometheus/config.rs`
+
+---
+
+## Context
+
+After PR #436 upgraded Prometheus from `v3.5.0` to `v3.5.1`:
+
+| Version  | HIGH | CRITICAL |
+| -------- | ---- | -------- |
+| `v3.5.0` | 16   | 4        |
+| `v3.5.1` | 6    | 4        |
+
+4 CRITICAL remain in upstream binary dependencies.
+
+## Decision
+
+**Re-scan with latest Prometheus tag, then decide**:
+
+- If a newer tag clears CRITICALs: upgrade, update scan doc, close #433
+- If not: post comment with scan results, document accepted risk, leave open with
+  revisit note
+
+## Steps
+
+- [ ] Check the latest Prometheus release:
+      <https://hub.docker.com/r/prom/prometheus/tags>
+- [ ] Run Trivy against candidate newer tags:
+      `trivy image --severity HIGH,CRITICAL prom/prometheus:LATEST_TAG`
+- [ ] Compare results against the v3.5.1 baseline in
+      `docs/security/docker/scans/prometheus.md`
+- [ ] **If CRITICALs are cleared**: update `src/domain/prometheus/config.rs` and
+      the CI scan matrix; update the scan doc; post results comment; close #433
+- [ ] **If CRITICALs remain**: post comment documenting which CVEs remain and why
+      they cannot be fixed (upstream binary); add revisit note to #433; leave open
+
+## Outcome
+
+<!-- Fill in after doing the work -->
+
+- Date:
+- Latest Prometheus tag tested:
+- Findings (HIGH / CRITICAL):
+- Decision: upgrade / accept risk / leave open
+- Comment/PR:

docs/issues/434-grafana-cves.md

@@ -0,0 +1,49 @@
+# Issue #434: Grafana CVEs after upgrade to 12.4.2
+
+**GitHub**: <https://github.com/torrust/torrust-tracker-deployer/issues/434>
+**Image**: `grafana/grafana:12.4.2`
+**Default set in**: `src/domain/grafana/config.rs`
+
+---
+
+## Context
+
+After PR #436 upgraded Grafana from `12.3.1` to `12.4.2`:
+
+| Version  | HIGH | CRITICAL |
+| -------- | ---- | -------- |
+| `12.3.1` | 18   | 6        |
+| `12.4.2` | 4    | 0        |
+
+CRITICALs are fully cleared. 4 HIGH remain in upstream binary dependencies.
+
+## Decision
+
+**Re-scan with latest Grafana tag, then decide**:
+
+- If a newer tag clears remaining HIGH: upgrade, update scan doc, close #434
+- If not: post comment with scan results confirming no CRITICALs, document accepted
+  risk, close #434
+
+## Steps
+
+- [ ] Check the latest Grafana release:
+      <https://hub.docker.com/r/grafana/grafana/tags>
+- [ ] Run Trivy against the latest tag:
+      `trivy image --severity HIGH,CRITICAL grafana/grafana:LATEST_TAG`
+- [ ] Compare results against the 12.4.2 baseline in
+      `docs/security/docker/scans/grafana.md`
+- [ ] **If a newer tag reduces HIGH count**: update `src/domain/grafana/config.rs`
+      and the CI scan matrix; update the scan doc; post results comment; close #434
+- [ ] **If no improvement**: post comment with current scan output confirming
+      no CRITICALs and document accepted risk for remaining HIGH; close #434
+
+## Outcome
+
+<!-- Fill in after doing the work -->
+
+- Date:
+- Latest Grafana tag tested:
+- Findings (HIGH / CRITICAL):
+- Decision: upgrade / accept risk
+- Comment/PR:

docs/issues/435-mysql-cves.md

@@ -0,0 +1,48 @@
+# Issue #435: MySQL CVEs in mysql:8.4
+
+**GitHub**: <https://github.com/torrust/torrust-tracker-deployer/issues/435>
+**Image**: `mysql:8.4` (floating tag, resolved to `8.4.8` at time of last scan)
+
+---
+
+## Context
+
+Current findings for `mysql:8.4`: **7 HIGH, 1 CRITICAL**.
+
+Findings are in helper components (`gosu` and Python packages), not MySQL server
+core. Investigation during PR #436 found that pinning to specific minor tags
+(8.4.1–9.1) results in 98–100 HIGH — the floating `mysql:8.4` tag is already
+the best available option.
+
+## Decision
+
+**Re-scan to check if the floating tag now resolves to a newer patch, then decide**:
+
+- If the floating tag now resolves to a patch where `gosu`/Python CVEs are fixed:
+  document the improvement. No code change needed (it's a floating tag).
+- If still no practical fix: post comment confirming accepted risk and close #435
+
+## Steps
+
+- [ ] Pull and scan the current floating tag:
+      `docker pull mysql:8.4 && trivy image --severity HIGH,CRITICAL mysql:8.4`
+- [ ] Check which patch the floating tag currently resolves to:
+      `docker inspect mysql:8.4 | grep -i version`
+- [ ] Compare results against the 8.4.8 baseline in
+      `docs/security/docker/scans/mysql.md`
+- [ ] Check if `mysql:9.x` is now a viable option for the deployer (compatibility,
+      LTS status):
+      <https://hub.docker.com/_/mysql>
+- [ ] **If CVE count has dropped**: update the scan doc; post comment; close #435
+- [ ] **If still 7 HIGH / 1 CRITICAL with no viable upgrade path**: post comment
+      documenting accepted risk (helper components, not MySQL core); close #435
+
+## Outcome
+
+<!-- Fill in after doing the work -->
+
+- Date:
+- Floating tag resolves to:
+- Findings (HIGH / CRITICAL):
+- Decision: accepted risk / upgrade to mysql:9.x
+- Comment/PR:

docs/issues/443-rand-0.8.5-rustsec.md

@@ -0,0 +1,75 @@
+# Issue #443: RUSTSEC-2026-0097 — `rand 0.8.5` unsound (transitive)
+
+**GitHub**: <https://github.com/torrust/torrust-tracker-deployer/issues/443>
+**Advisory**: <https://rustsec.org/advisories/RUSTSEC-2026-0097.html>
+**Affected**: `rand >= 0.7, < 0.9.3` and `0.10.0`
+**Reported version**: `0.8.5`
+
+---
+
+## Context
+
+`rand 0.8.5` is a transitive dependency via `tera v1.20.1`. It cannot be
+directly upgraded — only a new `tera` release that bumps its own rand dependency
+will clear it.
+
+Current dependency paths (`cargo tree -i rand@0.8.5`):
+
+```text
+rand v0.8.5
+└── tera v1.20.1
+    └── torrust-tracker-deployer v0.1.0
+
+rand v0.8.5
+└── phf_generator v0.11.3
+    └── phf_codegen v0.11.3
+        └── chrono-tz-build v0.3.0
+            [build-dependencies]
+            └── chrono-tz v0.9.0
+                └── tera v1.20.1 (*)
+```
+
+## Risk Assessment
+
+The unsoundness requires **all** of the following conditions simultaneously:
+
+1. The `log` and `thread_rng` features of `rand 0.8.5` are both enabled
+2. A custom logger is registered
+3. The custom logger calls `rand::rng()` inside its logging code
+4. `ThreadRng` attempts to reseed (every 64 kB of random output)
+5. Trace-level or warn-level (with getrandom failure) logging is active
+
+This application does **not** implement a custom logger that calls back into rand.
+Only `tera` uses `rand 0.8.5` for template rendering — it does not trigger the
+logging path.
+
+**Conclusion**: Low practical risk — the conditions for unsoundness are not met.
+
+## Decision
+
+**Post a comment with the risk assessment, then leave open** until `tera` releases
+a version using `rand >= 0.9.3`.
+
+## Steps
+
+- [ ] Run `cargo audit` to confirm RUSTSEC-2026-0097 is still reported for rand 0.8.5
+- [ ] Run `cargo tree -i rand@0.8.5` to confirm `tera` is still the only consumer
+- [ ] Check whether `tera` has released a version with `rand >= 0.9.3`:
+      <https://crates.io/crates/tera>
+- [ ] **If `tera` has not updated yet**:
+  - Post a comment on #443 with the risk assessment above and the cargo tree output
+  - Leave the issue open with a note to revisit on the next `tera` minor release
+- [ ] **If `tera` is updated**:
+  - Bump `tera` in `Cargo.toml`, run `cargo update tera`
+  - Run `cargo tree -p rand` to confirm `rand 0.8.5` is gone from `Cargo.lock`
+  - Run `cargo audit` to confirm the advisory is cleared
+  - Post a comment with the results and close #443
+
+## Outcome
+
+<!-- Fill in after doing the work -->
+
+- Date:
+- tera latest version:
+- Result:
+- Comment/PR: