fix security updates for twistlock

[wanix]

Proposing some security fixes and updates:

Dockerfile

• update golang for the one awaited in go.mod (1.21)
• update to latest alpine

VERSION

maybe I misunderstand this one but current version is 0.5.6, was 0.4.0, so proposing next version 0.5.7

Go code

I fixed the following errors by updating dependencies:

 +----------------+----------+------+------------------------------+---------+-----------------+------------+------------+------------+----------------------------------------------------+-------------------+
|      CVE       | SEVERITY | CVSS |           PACKAGE            | VERSION |     STATUS      | PUBLISHED  | DISCOVERED | GRACE DAYS |                    DESCRIPTION                     | TRIGGERED FAILURE |
+----------------+----------+------+------------------------------+---------+-----------------+------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2024-27304 | high     | 0.00 | github.com/jackc/pgproto3/v2 | v2.3.2  | fixed in 2.3.3  | > 7 months | < 1 hour   | -202       | pgx is a PostgreSQL driver and toolkit for Go.     | Yes               |
Error: Scan failed.
|                |          |      |                              |         | > 7 months ago  |            |            |            | SQL injection can occur if an attacker can cause   |                   |
|                |          |      |                              |         |                 |            |            |            | a single query or bind message to exceed 4 GB in   |                   |
|                |          |      |                              |         |                 |            |            |            | size....                                           |                   |
+----------------+----------+------+------------------------------+---------+-----------------+------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2023-45288 | medium   | 0.00 | golang.org/x/net/http2       | v0.20.0 | fixed in 0.23.0 | > 6 months | < 1 hour   | -164       | An attacker may cause an HTTP/2 endpoint to        | Yes               |
|                |          |      |                              |         | > 6 months ago  |            |            |            | read arbitrary amounts of header data by sending   |                   |
|                |          |      |                              |         |                 |            |            |            | an excessive number of CONTINUATION frames.        |                   |
|                |          |      |                              |         |                 |            |            |            | Maintaining H...                                   |                   |
+----------------+----------+------+------------------------------+---------+-----------------+------------+------------+------------+----------------------------------------------------+-------------------+

Tested by using my generated image (on RDS PostgreSQL): docker.io/wanix/sql_exporter:v0.5.7
(no problem detected by Twistlock with this image also)

[wanix]

And why so many files, I did the manual changes on:

• Dockerfile
• main.go (cause the NewCollector is not anymore in common.version)
• go.mod
• VERSION

Then:

go get
go mod tidy
go mod vendor

[dewey]

Thank you for tackling this, will release a new version. I think this version file was overlooked a bit that's why it's out of sync.

[wanix]

thanks