High severity CVE related with go stdlib version #903
Comments
ikheifets-splunk
changed the title
|
Hello, @aelsabbahy ! |
|
Reopening issue until the release happens. Yes, this will be part of the next goss release. I should look into automating the trivy checks. 🤔 |
|
Released |
|
Many thanks @aelsabbahy ! Will test it :) |
|
Checked, it's passing CVE testing, closing this issue :) thanks @aelsabbahy |
|
Thanks for reporting. If you don't mind.. can you show me how to reproduce the failing result on the old version? This way I can look into automating this at a future time. |
|
Sure, we using Trivy GitHub action on CI which testing our docker image (our open source project is docker image), results you can see here. After update goss version on 0.4.7 CI became green |
|
@aelsabbahy I think you can use such command: P.S. docs here |
|
Perfect, yeah that worked, thanks! Will check out the github actions too. I tried |
|
I also will try yet another time restart this step on CI, they updating CVE database every day, existing small chance that they can reclassify CVE. We had last release 3 days ago probably something changed in their db during this time |
|
Oh, I just meant it doesn't detect it if you scan the binary directory but does if you scan the repo. I was confused earlier since I couldn't reproduce your results (due to scanning binary), scanning repo works just fine and I might set up a weekly scan. Thanks again, this should improve the security posture of Goss! |
|
The scan with trivy GitHub action of goss docker file I had also added to: |
|
Awesome, thanks for all the clarifications, closing. |
|
@aelsabbahy trivy detected new CVE and I published issue |
Describe the bug
High severity CVE
How To Reproduce
https://github.com/aquasecurity/trivy detected this CVE
Expected Behavior
using Go version without CVE
Actual Behavior
using Go version with CVE
Environment:
The text was updated successfully, but these errors were encountered: