Critical CVE on goss #941
Comments
|
@dklimpel this is a good opportunity to test the new trivy pipeline. Is it possible to reproduce this finding in the goss CI? |
|
You should be able to run the workflow manually: https://github.com/goss-org/goss/actions/workflows/docker-goss.yaml But it probably won't find anything because the workflow creates a new build and the affected dependency seems to be indirect. |
|
Hmm, I wonder if it makes sense to have daily (or weekly) trivy run on the last published image? |
|
I think latest tagged release, not latest image. |
|
Any update on this bug ? @dklimpel @aelsabbahy |
|
@aelsabbahy @dklimpel I prepared PR with updating go version, because CVE located in stdlib |
|
Sorry for the delay on this. It seems there's some issues with CI. Still trying to debug. oddly the working commit and the failing commit are exactly the same, so not sure if something changed on travis-ci or if there's another factor at play (e.g. docker test image caching). |
|
Update: Found the issue, I believe I merged in a fix. Unfortunately, I ran out of travis-ci OSS credits again, waiting on travis-ci to respond. These issues will go away once the migration to GHA is complete. This is probably going to be the last release on the travis-ci workflow. |
|
@aelsabbahy thanks, no problem, sometimes such things happenings |
|
Just cut a new release, please confirm the CVE is gone and we can close out this ticket. Many thanks for reporting this issue and contributing the fix! Sorry this took a little while, the whole CI story is in a bit of a transition. |
|
@aelsabbahy thanks so much, I tested update on 0.4.8 and it's fixing this Critical CVE |
Describe the bug
Critical CVE on goss
How To Reproduce
Use trivy to detect CVE, in our case it's has been detected on CI
Expected Behavior
Haven't CVE
Actual Behavior
CVE
Environment:
The text was updated successfully, but these errors were encountered: