Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure CLI docker image jp dependency is dated and triggers security scanners #29509

Open
octavian-mto opened this issue Jul 29, 2024 · 1 comment
Open

Azure CLI docker image jp dependency is dated and triggers security scanners #29509

octavian-mto opened this issue Jul 29, 2024 · 1 comment
Assignees
@bebound
Labels
Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Comments

@octavian-mto
Copy link

octavian-mto commented Jul 29, 2024
edited
Loading

Describe the bug

The jp (jmespath) dependency is stuck at version 0.2.1 (released in 2021) due to the maintainer not focusing on the project anymore.
Since the executable is using an older version of go (1.17.1), it triggers container image scanners

Here are the related bug reports on the jp side: jmespath/jp#51 and jmespath/jp#46

Related command

FROM mcr.microsoft.com/azure-cli

Errors

CVE-2021-38297
CVE-2023-24538
CVE-2024-24790
CVE-2023-24540
CVE-2023-29402
CVE-2023-29404
CVE-2023-29405

Issue script & Debug output

See above

Expected behavior

No security vulnerabilities are reported when using mcr.microsoft.com/azure-cli

Environment Summary

# az --version
azure-cli                         2.62.0

core                              2.62.0
telemetry                          1.1.0

Dependencies:
msal                              1.28.1
azure-mgmt-resource               23.1.1

Python location '/usr/local/bin/python'
Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.11.9 (main, Jul  3 2024, 00:15:49) [GCC 13.2.1 20240309]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response
@octavian-mto octavian-mto added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Jul 29, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Jul 29, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added the customer-reported Issues that are reported by GitHub users external to the Azure organization. label Jul 29, 2024
@yonzhan yonzhan added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Azure CLI Team The command of the issue is owned by Azure CLI team and removed bug This issue requires a change to an existing behavior in the product in order to be resolved. labels Jul 29, 2024
@yonzhan yonzhan added this to the Backlog milestone Jul 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bebound bebound

Labels
Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@bebound @yonzhan @octavian-mto