Go Cryptography vulnerabilities detected by Docker Scan

[gugacavalieri]

Reopening #496

Hi guys. Not sure if the binaries are actually being updated with the latest builds. This CVE is still showing for me.

Steps to reproduce it:

1. Add Dockerfile

FROM alpine:3.17.2

# install codeclimate reporter
RUN wget --quiet https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 -O /usr/local/bin/cc-test-reporter \
  && chmod +x /usr/local/bin/cc-test-reporter

2. Run a Docker scan

docker build -t cc-reporter-cve-test . && docker scout cves cc-reporter-cve-test

It comes back with the crypto CVEs that were supposably patched:

However, when I built the binary from my machine and copied it over to the Docker image it reported no CVEs. So I wonder if the binaries are being updated on CodeClimate's website.

[jamietanna]

This issue seems to be down to the binary - that's currently being distributed - as using Go 1.15.15 which has some known issues:

# Via https://stackoverflow.com/a/18991157
% go version test-reporter-latest-linux-amd64
test-reporter-latest-linux-amd64: go1.15.15

As you mention, recompiling with a newer version of the Go toolchain will resolve this issue.