pandora/notfysh.image-copy
3
0
Fork 0
generated from pandora/image-copy.template
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Vulnerability dashboard #2

New issue
Open
opened 2026-04-16 21:07:12 +00:00 by bot-ci · 0 comments
bot-ci commented 2026-04-16 21:07:12 +00:00
Owner
Copy link

This issue list updates about vulnerabilites that are detected by trivy.woodpecker plugin.

Summary

Severity Count
CRITICAL 0
HIGH 9
MEDIUM 14
LOW 4
UNKNOWN 1

Detected packages and vulnerabilites

Packages

code.thinkaboutit.tech/pandora/ntfy:latest (alpine 3.23.3):

Name Version
alpine-baselayout 3.7.1-r8
alpine-baselayout-data 3.7.1-r8
alpine-keys 2.6-r0
alpine-release 3.23.3-r0
apk-tools 3.0.3-r1
busybox 1.37.0-r30
busybox-binsh 1.37.0-r30
ca-certificates-bundle 20251003-r0
libapk 3.0.3-r1
libcrypto3 3.5.5-r0
libssl3 3.5.5-r0
musl 1.2.5-r21
musl-utils 1.2.5-r21
scanelf 1.3.8-r2
ssl_client 1.37.0-r30
tzdata 2026a-r0
zlib 1.3.1-r2

usr/bin/ntfy:

Name Version
heckel.io/ntfy/v2 v2.21.0
stdlib v1.25.8
cel.dev/expr v0.25.1
cloud.google.com/go v0.123.0
cloud.google.com/go/auth v0.19.0
cloud.google.com/go/auth/oauth2adapt v0.2.8
cloud.google.com/go/compute/metadata v0.9.0
cloud.google.com/go/firestore v1.21.0
cloud.google.com/go/iam v1.6.0
cloud.google.com/go/longrunning v0.8.0
cloud.google.com/go/monitoring v1.24.3
cloud.google.com/go/storage v1.61.3
firebase.google.com/go/v4 v4.19.0
github.com/AlekSi/pointer v1.2.0
github.com/BurntSushi/toml v1.6.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0
github.com/MicahParks/keyfunc v1.9.0
github.com/SherClockHolmes/webpush-go v1.4.0
github.com/aymerick/douceur v0.2.0
github.com/beorn7/perks v1.0.1
github.com/cespare/xxhash/v2 v2.3.0
github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2
github.com/cpuguy83/go-md2man/v2 v2.0.7
github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6
github.com/emersion/go-smtp v0.17.0
github.com/envoyproxy/go-control-plane/envoy v1.37.0
github.com/envoyproxy/protoc-gen-validate v1.3.3
github.com/felixge/httpsnoop v1.0.4
github.com/gabriel-vasile/mimetype v1.4.13
github.com/go-jose/go-jose/v4 v4.1.3
github.com/go-logr/logr v1.4.3
github.com/go-logr/stdr v1.2.2
github.com/golang-jwt/jwt/v4 v4.5.2
github.com/golang-jwt/jwt/v5 v5.3.1
github.com/google/s2a-go v0.1.9
github.com/google/uuid v1.6.0
github.com/googleapis/enterprise-certificate-proxy v0.3.14
github.com/googleapis/gax-go/v2 v2.20.0
github.com/gorilla/css v1.0.1
github.com/gorilla/websocket v1.5.3
github.com/jackc/pgpassfile v1.0.0
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761
github.com/jackc/pgx/v5 v5.9.1
github.com/jackc/puddle/v2 v2.2.2
github.com/mattn/go-sqlite3 v1.14.38
github.com/microcosm-cc/bluemonday v1.0.27
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
github.com/olebedev/when v1.1.0
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.23.2
github.com/prometheus/client_model v0.6.2
github.com/prometheus/common v0.67.5
github.com/prometheus/procfs v0.20.1
github.com/russross/blackfriday/v2 v2.1.0
github.com/spiffe/go-spiffe/v2 v2.6.0
github.com/stripe/stripe-go/v74 v74.30.0
github.com/urfave/cli/v2 v2.27.7
github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342
go.opentelemetry.io/auto/sdk v1.2.1
go.opentelemetry.io/contrib/detectors/gcp v1.42.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0
go.opentelemetry.io/otel v1.42.0
go.opentelemetry.io/otel/metric v1.42.0
go.opentelemetry.io/otel/sdk v1.42.0
go.opentelemetry.io/otel/sdk/metric v1.42.0
go.opentelemetry.io/otel/trace v1.42.0
go.yaml.in/yaml/v2 v2.4.4
golang.org/x/crypto v0.49.0
golang.org/x/net v0.52.0
golang.org/x/oauth2 v0.36.0
golang.org/x/sync v0.20.0
golang.org/x/sys v0.42.0
golang.org/x/term v0.41.0
golang.org/x/text v0.35.0
golang.org/x/time v0.15.0
google.golang.org/api v0.273.0
google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7
google.golang.org/genproto/googleapis/api v0.0.0-20260319201613-d00831a3d3e7
google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7
google.golang.org/grpc v1.79.3
google.golang.org/protobuf v1.36.11
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
Vulnerabilities

code.thinkaboutit.tech/pandora/ntfy:latest (alpine 3.23.3):

Package Name Severity Installed version Fixed Version Status Link
libcrypto3 HIGH 3.5.5-r0 3.5.6-r0 fixed CVE-2026-28390
libcrypto3 MEDIUM 3.5.5-r0 3.5.6-r0 fixed CVE-2026-28388
libcrypto3 MEDIUM 3.5.5-r0 3.5.6-r0 fixed CVE-2026-28389
libcrypto3 MEDIUM 3.5.5-r0 3.5.6-r0 fixed CVE-2026-31789
libcrypto3 MEDIUM 3.5.5-r0 3.5.6-r0 fixed CVE-2026-31790
libcrypto3 LOW 3.5.5-r0 3.5.6-r0 fixed CVE-2026-2673
libcrypto3 LOW 3.5.5-r0 3.5.6-r0 fixed CVE-2026-28387
libssl3 HIGH 3.5.5-r0 3.5.6-r0 fixed CVE-2026-28390
libssl3 MEDIUM 3.5.5-r0 3.5.6-r0 fixed CVE-2026-28388
libssl3 MEDIUM 3.5.5-r0 3.5.6-r0 fixed CVE-2026-28389
libssl3 MEDIUM 3.5.5-r0 3.5.6-r0 fixed CVE-2026-31789
libssl3 MEDIUM 3.5.5-r0 3.5.6-r0 fixed CVE-2026-31790
libssl3 LOW 3.5.5-r0 3.5.6-r0 fixed CVE-2026-2673
libssl3 LOW 3.5.5-r0 3.5.6-r0 fixed CVE-2026-28387
musl HIGH 1.2.5-r21 1.2.5-r23 fixed CVE-2026-40200
musl MEDIUM 1.2.5-r21 1.2.5-r22 fixed CVE-2026-6042
musl-utils HIGH 1.2.5-r21 1.2.5-r23 fixed CVE-2026-40200
musl-utils MEDIUM 1.2.5-r21 1.2.5-r22 fixed CVE-2026-6042
zlib HIGH 1.3.1-r2 1.3.2-r0 fixed CVE-2026-22184
zlib MEDIUM 1.3.1-r2 1.3.2-r0 fixed CVE-2026-27171

usr/bin/ntfy:

Package Name Severity Installed version Fixed Version Status Link
github.com/go-jose/go-jose/v4 HIGH v4.1.3 4.1.4 fixed CVE-2026-34986
go.opentelemetry.io/otel/sdk HIGH v1.42.0 1.43.0 fixed CVE-2026-39883
stdlib HIGH v1.25.8 1.25.9, 1.26.2 fixed CVE-2026-32280
stdlib HIGH v1.25.8 1.25.9, 1.26.2 fixed CVE-2026-32282
stdlib MEDIUM v1.25.8 1.25.9, 1.26.2 fixed CVE-2026-32281
stdlib MEDIUM v1.25.8 1.25.9, 1.26.2 fixed CVE-2026-32288
stdlib MEDIUM v1.25.8 1.25.9, 1.26.2 fixed CVE-2026-32289
stdlib UNKNOWN v1.25.8 1.25.9, 1.26.2 fixed CVE-2026-32283
This issue list updates about vulnerabilites that are detected by [trivy.woodpecker](https://code.thinkaboutit.tech/pandora/trivy.woodpecker) plugin. ## Summary | Severity | Count | | -------- | ----- | | CRITICAL | 0 | | HIGH | 9 | | MEDIUM | 14 | | LOW | 4 | | UNKNOWN | 1 | ## Detected packages and vulnerabilites <details><summary>Packages</summary> **code.thinkaboutit.tech/pandora/ntfy:latest (alpine 3.23.3)**: | Name | Version | | ---- | ------- | | alpine-baselayout | 3.7.1-r8 | | alpine-baselayout-data | 3.7.1-r8 | | alpine-keys | 2.6-r0 | | alpine-release | 3.23.3-r0 | | apk-tools | 3.0.3-r1 | | busybox | 1.37.0-r30 | | busybox-binsh | 1.37.0-r30 | | ca-certificates-bundle | 20251003-r0 | | libapk | 3.0.3-r1 | | libcrypto3 | 3.5.5-r0 | | libssl3 | 3.5.5-r0 | | musl | 1.2.5-r21 | | musl-utils | 1.2.5-r21 | | scanelf | 1.3.8-r2 | | ssl_client | 1.37.0-r30 | | tzdata | 2026a-r0 | | zlib | 1.3.1-r2 | **usr/bin/ntfy**: | Name | Version | | ---- | ------- | | heckel.io/ntfy/v2 | v2.21.0 | | stdlib | v1.25.8 | | cel.dev/expr | v0.25.1 | | cloud.google.com/go | v0.123.0 | | cloud.google.com/go/auth | v0.19.0 | | cloud.google.com/go/auth/oauth2adapt | v0.2.8 | | cloud.google.com/go/compute/metadata | v0.9.0 | | cloud.google.com/go/firestore | v1.21.0 | | cloud.google.com/go/iam | v1.6.0 | | cloud.google.com/go/longrunning | v0.8.0 | | cloud.google.com/go/monitoring | v1.24.3 | | cloud.google.com/go/storage | v1.61.3 | | firebase.google.com/go/v4 | v4.19.0 | | github.com/AlekSi/pointer | v1.2.0 | | github.com/BurntSushi/toml | v1.6.0 | | github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp | v1.31.0 | | github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric | v0.55.0 | | github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping | v0.55.0 | | github.com/MicahParks/keyfunc | v1.9.0 | | github.com/SherClockHolmes/webpush-go | v1.4.0 | | github.com/aymerick/douceur | v0.2.0 | | github.com/beorn7/perks | v1.0.1 | | github.com/cespare/xxhash/v2 | v2.3.0 | | github.com/cncf/xds/go | v0.0.0-20260202195803-dba9d589def2 | | github.com/cpuguy83/go-md2man/v2 | v2.0.7 | | github.com/emersion/go-sasl | v0.0.0-20241020182733-b788ff22d5a6 | | github.com/emersion/go-smtp | v0.17.0 | | github.com/envoyproxy/go-control-plane/envoy | v1.37.0 | | github.com/envoyproxy/protoc-gen-validate | v1.3.3 | | github.com/felixge/httpsnoop | v1.0.4 | | github.com/gabriel-vasile/mimetype | v1.4.13 | | github.com/go-jose/go-jose/v4 | v4.1.3 | | github.com/go-logr/logr | v1.4.3 | | github.com/go-logr/stdr | v1.2.2 | | github.com/golang-jwt/jwt/v4 | v4.5.2 | | github.com/golang-jwt/jwt/v5 | v5.3.1 | | github.com/google/s2a-go | v0.1.9 | | github.com/google/uuid | v1.6.0 | | github.com/googleapis/enterprise-certificate-proxy | v0.3.14 | | github.com/googleapis/gax-go/v2 | v2.20.0 | | github.com/gorilla/css | v1.0.1 | | github.com/gorilla/websocket | v1.5.3 | | github.com/jackc/pgpassfile | v1.0.0 | | github.com/jackc/pgservicefile | v0.0.0-20240606120523-5a60cdf6a761 | | github.com/jackc/pgx/v5 | v5.9.1 | | github.com/jackc/puddle/v2 | v2.2.2 | | github.com/mattn/go-sqlite3 | v1.14.38 | | github.com/microcosm-cc/bluemonday | v1.0.27 | | github.com/munnerz/goautoneg | v0.0.0-20191010083416-a7dc8b61c822 | | github.com/olebedev/when | v1.1.0 | | github.com/pkg/errors | v0.9.1 | | github.com/prometheus/client_golang | v1.23.2 | | github.com/prometheus/client_model | v0.6.2 | | github.com/prometheus/common | v0.67.5 | | github.com/prometheus/procfs | v0.20.1 | | github.com/russross/blackfriday/v2 | v2.1.0 | | github.com/spiffe/go-spiffe/v2 | v2.6.0 | | github.com/stripe/stripe-go/v74 | v74.30.0 | | github.com/urfave/cli/v2 | v2.27.7 | | github.com/xrash/smetrics | v0.0.0-20250705151800-55b8f293f342 | | go.opentelemetry.io/auto/sdk | v1.2.1 | | go.opentelemetry.io/contrib/detectors/gcp | v1.42.0 | | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.67.0 | | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp | v0.67.0 | | go.opentelemetry.io/otel | v1.42.0 | | go.opentelemetry.io/otel/metric | v1.42.0 | | go.opentelemetry.io/otel/sdk | v1.42.0 | | go.opentelemetry.io/otel/sdk/metric | v1.42.0 | | go.opentelemetry.io/otel/trace | v1.42.0 | | go.yaml.in/yaml/v2 | v2.4.4 | | golang.org/x/crypto | v0.49.0 | | golang.org/x/net | v0.52.0 | | golang.org/x/oauth2 | v0.36.0 | | golang.org/x/sync | v0.20.0 | | golang.org/x/sys | v0.42.0 | | golang.org/x/term | v0.41.0 | | golang.org/x/text | v0.35.0 | | golang.org/x/time | v0.15.0 | | google.golang.org/api | v0.273.0 | | google.golang.org/genproto | v0.0.0-20260319201613-d00831a3d3e7 | | google.golang.org/genproto/googleapis/api | v0.0.0-20260319201613-d00831a3d3e7 | | google.golang.org/genproto/googleapis/rpc | v0.0.0-20260319201613-d00831a3d3e7 | | google.golang.org/grpc | v1.79.3 | | google.golang.org/protobuf | v1.36.11 | | gopkg.in/yaml.v2 | v2.4.0 | | gopkg.in/yaml.v3 | v3.0.1 | </details> <details><summary>Vulnerabilities</summary> **code.thinkaboutit.tech/pandora/ntfy:latest (alpine 3.23.3)**: | Package Name | Severity | Installed version | Fixed Version | Status | Link | | ------------ | -------- | ----------------- | ------------- | ------ | ---- | | libcrypto3 | HIGH | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-28390](https://avd.aquasec.com/nvd/cve-2026-28390) | | libcrypto3 | MEDIUM | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-28388](https://avd.aquasec.com/nvd/cve-2026-28388) | | libcrypto3 | MEDIUM | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-28389](https://avd.aquasec.com/nvd/cve-2026-28389) | | libcrypto3 | MEDIUM | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-31789](https://avd.aquasec.com/nvd/cve-2026-31789) | | libcrypto3 | MEDIUM | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-31790](https://avd.aquasec.com/nvd/cve-2026-31790) | | libcrypto3 | LOW | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-2673](https://avd.aquasec.com/nvd/cve-2026-2673) | | libcrypto3 | LOW | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-28387](https://avd.aquasec.com/nvd/cve-2026-28387) | | libssl3 | HIGH | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-28390](https://avd.aquasec.com/nvd/cve-2026-28390) | | libssl3 | MEDIUM | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-28388](https://avd.aquasec.com/nvd/cve-2026-28388) | | libssl3 | MEDIUM | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-28389](https://avd.aquasec.com/nvd/cve-2026-28389) | | libssl3 | MEDIUM | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-31789](https://avd.aquasec.com/nvd/cve-2026-31789) | | libssl3 | MEDIUM | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-31790](https://avd.aquasec.com/nvd/cve-2026-31790) | | libssl3 | LOW | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-2673](https://avd.aquasec.com/nvd/cve-2026-2673) | | libssl3 | LOW | 3.5.5-r0 | 3.5.6-r0 | fixed | [CVE-2026-28387](https://avd.aquasec.com/nvd/cve-2026-28387) | | musl | HIGH | 1.2.5-r21 | 1.2.5-r23 | fixed | [CVE-2026-40200](https://avd.aquasec.com/nvd/cve-2026-40200) | | musl | MEDIUM | 1.2.5-r21 | 1.2.5-r22 | fixed | [CVE-2026-6042](https://avd.aquasec.com/nvd/cve-2026-6042) | | musl-utils | HIGH | 1.2.5-r21 | 1.2.5-r23 | fixed | [CVE-2026-40200](https://avd.aquasec.com/nvd/cve-2026-40200) | | musl-utils | MEDIUM | 1.2.5-r21 | 1.2.5-r22 | fixed | [CVE-2026-6042](https://avd.aquasec.com/nvd/cve-2026-6042) | | zlib | HIGH | 1.3.1-r2 | 1.3.2-r0 | fixed | [CVE-2026-22184](https://avd.aquasec.com/nvd/cve-2026-22184) | | zlib | MEDIUM | 1.3.1-r2 | 1.3.2-r0 | fixed | [CVE-2026-27171](https://avd.aquasec.com/nvd/cve-2026-27171) | **usr/bin/ntfy**: | Package Name | Severity | Installed version | Fixed Version | Status | Link | | ------------ | -------- | ----------------- | ------------- | ------ | ---- | | github.com/go-jose/go-jose/v4 | HIGH | v4.1.3 | 4.1.4 | fixed | [CVE-2026-34986](https://avd.aquasec.com/nvd/cve-2026-34986) | | go.opentelemetry.io/otel/sdk | HIGH | v1.42.0 | 1.43.0 | fixed | [CVE-2026-39883](https://avd.aquasec.com/nvd/cve-2026-39883) | | stdlib | HIGH | v1.25.8 | 1.25.9, 1.26.2 | fixed | [CVE-2026-32280](https://avd.aquasec.com/nvd/cve-2026-32280) | | stdlib | HIGH | v1.25.8 | 1.25.9, 1.26.2 | fixed | [CVE-2026-32282](https://avd.aquasec.com/nvd/cve-2026-32282) | | stdlib | MEDIUM | v1.25.8 | 1.25.9, 1.26.2 | fixed | [CVE-2026-32281](https://avd.aquasec.com/nvd/cve-2026-32281) | | stdlib | MEDIUM | v1.25.8 | 1.25.9, 1.26.2 | fixed | [CVE-2026-32288](https://avd.aquasec.com/nvd/cve-2026-32288) | | stdlib | MEDIUM | v1.25.8 | 1.25.9, 1.26.2 | fixed | [CVE-2026-32289](https://avd.aquasec.com/nvd/cve-2026-32289) | | stdlib | UNKNOWN | v1.25.8 | 1.25.9, 1.26.2 | fixed | [CVE-2026-32283](https://avd.aquasec.com/nvd/cve-2026-32283) | </details>
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pandora/notfysh.image-copy#2
No description provided.