https://signoz.io logo
Join Slack
Powered by
Hi All I'm in the process of setting up SigNoz us...
# general
m
Hi All I'm in the process of setting up SigNoz using Docker Compose and I've pulled the 
docker-compose.yaml
from [this link](https://github.com/SigNoz/signoz/blob/develop/deploy/docker/clickhouse-setup/docker-compose.yaml). However, as I was reviewing the file, I noticed that it references several outdated images, some of which have critical vulnerabilities. For instance, the image 
signoz/locust:1.2.3
is specified, but the latest version available is 
signoz/locust:2.24.1
. Could someone shed some light on why these older versions are being used and if there are plans to update them? Alternatively, would it be advisable to simply replace them with the latest versions to ensure security and compatibility? Here's a list of the outdated images mentioned in the YAML file: - 
signoz/frontend:0.38.2
- 
gliderlabs/logspout:v3.2.14
- 
signoz/alertmanager:0.23.4
- 
signoz/query-service:0.38.2
- 
signoz/signoz-otel-collector:0.88.11
- 
clickhouse/clickhouse-server:23.11.1-alpine
- 
signoz/locust:1.2.3
(mentioned above) - 
bitnami/zookeeper:3.7.1
- 
jaegertracing/example-hotrod:1.30
Looking forward to your insights on this.
p
You will need to use 
main
branch for the stable releases with proper versioning. In case of Locust, we do not update it often since it is simple tool used for load generator.
m
Greetings! 😊 I wanted to express my gratitude for your swift response and for providing clarity regarding the main branch for stable releases. Your promptness in addressing this matter is truly appreciated. As I delved deeper into the Docker Compose setup, I discovered some rectifiable vulnerabilities, particularly with the 
bitnami/zookeeper:3.7.1
image. A total of 199 vulnerabilities were identified, out of which 17 are fixable. Below is a breakdown of the vulnerabilities:
Copy code
```yaml
version: "2.4"

x-clickhouse-defaults: &clickhouse-defaults 
  image: clickhouse/clickhouse-server:24.1.2-alpine
    - Total: 2
    - Fixable: 2
    - Vulnerabilities:
        - CVE-2024-2511; Low; libcrypto3; 3.1.4-r5; 3.1.4-r6
        - CVE-2024-2511; Low; libssl3; 3.1.4-r5; 3.1.4-r6

services:
  zookeeper-1:
    image: bitnami/zookeeper:3.7.1
      - Total: 199
      - Fixable: 17
      - Vulnerabilities:
          - CVE-2023-38545; Critical; redhat:7.5; curl; 7.74.0-1.3+deb11u9; 7.74.0-1.3+deb11u10
          - CVE-2023-38545; Critical; redhat:7.5; libcurl4; 7.74.0-1.3+deb11u9; 7.74.0-1.3+deb11u10
          - CVE-2023-44981; Critical; bitnami:9.1, ghsa:9.1, nvd:9.1, redhat:9.1; org.apache.zookeeper:zookeeper; 3.7.1; 3.7.2, 3.8.3, 3.9.1

  alertmanager:
    image: signoz/alertmanager:${ALERTMANAGER_TAG:-0.23.5}
      - Total: 3
      - Fixable: 3
      - Vulnerabilities:
          - CVE-2023-5678; Medium; nvd:7.5, redhat:5.3; libcrypto1.1; 1.1.1v-r0; 1.1.1w-r1
          - CVE-2023-5678; Medium; nvd:7.5, redhat:5.3; libssl1.1; 1.1.1v-r0; 1.1.1w-r1
          - CVE-2024-24786; Medium; redhat:5.9; google.golang.org/protobuf; v1.26.0-rc.1; 1.33.0

  logspout:
    image: "gliderlabs/logspout:v3.2.14"
      - Total: 84
      - Fixable: 84
      - Vulnerabilities:
          - CVE-2022-37434; Critical; zlib; 1.2.11-r3; 1.2.12-r2

  load-hotrod:
    image: "signoz/locust:1.2.3"
      - Total: 85
      - Fixable: 85
      - Vulnerabilities:
          - CVE-2021-36159; Critical; nvd:9.1; apk-tools; 2.10.5-r1; 2.10.7-r0
          - CVE-2021-3711; Critical; nvd:9.8, redhat:9.8; libcrypto1.1; 1.1.1g-r0; 1.1.1l-r0
          - CVE-2021-3711; Critical; nvd:9.8, redhat:9.8; libssl1.1; 1.1.1g-r0; 1.1.1l-r0
          - CVE-2022-22822; Critical; nvd:9.8; expat; 2.2.9-r1; 2.2.10-r0
          - CVE-2022-22823; Critical; nvd:9.8; expat; 2.2.9-r1; 2.2.10-r0
          - CVE-2022-22824; Critical; nvd:9.8; expat; 2.2.9-r1; 2.2.10-r0
          - CVE-2022-23852; Critical; nvd:9.8, redhat:9.8; expat; 2.2.9-r1; 2.2.10-r1
          - CVE-2022-25315; Critical; expat; 2.2.9-r1; 2.2.10-r2
          - CVE-2022-25235; Critical; expat; 2.2.9-r1; 2.2.10-r2
          - CVE-2022-25236; Critical; expat; 2.2.9-r1; 2.2.10-r2
          - CVE-2022-37434; Critical; zlib; 1.2.11-r3; 1.2.12-r2
          - CVE-2023-41419; Critical; ghsa:9.8, nvd:9.8, redhat:5.6; gevent; 22.10.2; 23.9.1
Hey everyone, quick question: if we update to the latest Zookeeper and Locust images, do you think Signoz would still function properly? We plan to run SigNoz on a Docker Compose Host.
s
Yes, it should
137 Views
Open in Slack
PreviousNext
Powered by