docker: critical base image vulnerabilities, one critical golang vulnerability

[Starttoaster]

Noticed there hasn't been a release for a while so I suspected something like Trivy would turn up a few vulnerabilities in the latest docker image. Several of them actually have fixes available, just need to update some things to move past them. A lot of the vulnerabilities actually come from the base image. At time of writing, Trivy says there are 4 critical, 13 high, 39 medium, and 61 low tier vulnerabilities in the base image.

I think the base image packs in quite a few utilities that are unnecessary, and it seems to be that some of them are actually used for testing, where a production image could just contain the binary. I'm not sure if you want to package such a production image yourself, or if you'd rather leave that to everyone to maintain their own. But that's exactly what I did here: https://github.com/Starttoaster/pgweb/pulls?q=is%3Apr+is%3Aclosed

In the two PRs (at time of writing there are two anyway) I updated all of the Go dependencies, just running go get -u ./... && go mod tidy. The program seems to still work against my Postgres server. Doesn't seem like a tough upgrade. I also changed the docker image to be a bit more hardened. I ran the resulting image through trivy, which turns up with 0 vulnerabilities.

Let me know if you'd like any help with updating either the Dockerfile or go modules and I can submit a pull request. A lot of my changes were pretty opinionated to how I currently maintain my Go projects. So please tell me what a good contribution would look like if I wanted to iterate on either of those things. I'd love to help release a version of pgweb with fewer CVEs. I was looking through the catalog of Postgres web UIs recently and this one caught my eye, it's a great tool, thank you for making it.

[sosedoff]

There are certain tools that Pgweb needs to operate in order to have functioning data export features, like pg_dump. I may be forgetting a few others, but packing just the binary is not really an option at this point. I could in theory publish a new, slimmed down version of the official pgweb image. If folks need custom images, they just build one themselves.

As for contributing changes, i generally prefer iterative approach, ie upgrade dependencies in order of need, so i would not just blindly upgrade everything as the test coverage is not 100% so there will be a chance of running into an odd bug. Maybe you want to start here?

[Starttoaster]

As for contributing changes, i generally prefer iterative approach, ie upgrade dependencies in order of need

Understood, I think most people tend to prefer updating one dependency at a time. Go's fairly stable stdlib has made me pretty complacent with just updating everything and seeing if it still works (most of the time it does.) But I'll submit a pull request for at least the crypto library then.

If folks need custom images, they just build one themselves.

I'll probably just maintain my own then. My use for pgweb is simply to have a read-only interface for my pg databases, so I have no need for pgweb to be able to dump the database for me, or any other operation more complex than just seeing data in a table.

There are certain tools that Pgweb needs to operate in order to have functioning data export features, like pg_dump.

The readme is a bit inconsistent with this statement, but if you could tell me what utilities pgweb actually needs, I could work on creating a more hardened and up to date image that supports all of pgweb's features.