Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: triage false positive for go-jose/v3 #20901

Merged
merged 1 commit into from
Mar 26, 2024
Merged

security: triage false positive for go-jose/v3 #20901

merged 1 commit into from
Mar 26, 2024

Conversation

zalimeni
Copy link
Member

Per https://osv.dev/vulnerability/GO-2024-2631 this vulnerability is not present in the version currently used (go-jose/v3@3.0.3).

I'm suspicious that the Introduced 0 version in the OSV entry is why we're flagging the fix version as invalid. Just a guess.

Description

This unblocks the Consul patch release currently underway.

Testing & Reproduction steps

CI continues to pass including Security Scan check.

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@zalimeni
security: triage false positive for go-jose/v3
c8d6b25 
Per https://osv.dev/vulnerability/GO-2024-2631 this vulnerability is not
present in the version currently used (go-jose/v3@3.0.3).
@zalimeni zalimeni added backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. backport/1.17 This release series is no longer active on CE. Use backport/ent/1.17. backport/1.18 labels Mar 26, 2024
@zalimeni zalimeni requested review from david-yu, dduzgun-security, xwa153 and a team March 26, 2024 21:04
@zalimeni zalimeni requested a review from a team as a code owner March 26, 2024 21:04
@zalimeni zalimeni requested review from sarahethompson and ashconnor and removed request for a team March 26, 2024 21:04
dduzgun-security
dduzgun-security approved these changes Mar 26, 2024
View reviewed changes
Copy link
Collaborator

@dduzgun-security dduzgun-security left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@zalimeni zalimeni added the pr/no-changelog PR does not need a corresponding .changelog entry label Mar 26, 2024
@zalimeni
Copy link
Member Author

zalimeni commented Mar 26, 2024
edited
Loading

Scan passed 🙌🏻 auto-merging. Thanks for the quick review @dduzgun-security !

@zalimeni zalimeni enabled auto-merge (squash) March 26, 2024 21:08
@zalimeni zalimeni merged commit cc959dc into main Mar 26, 2024
112 of 117 checks passed
@zalimeni zalimeni deleted the zalimeni/add-security-triage-go-jose-cve-false-positive branch March 26, 2024 21:27
This was referenced Mar 26, 2024
Merged
Merged
Merged
Merged
This was referenced Mar 26, 2024
Merged
Merged
This was referenced May 4, 2024
Closed
Closed
Closed
Merged
@dhiaayachi dhiaayachi mentioned this pull request Sep 26, 2024
Open
4 tasks
This was referenced Sep 26, 2024
Open
Open
Open
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dduzgun-security dduzgun-security dduzgun-security approved these changes

@david-yu david-yu Awaiting requested review from david-yu

@xwa153 xwa153 Awaiting requested review from xwa153

@sarahethompson sarahethompson Awaiting requested review from sarahethompson

@ashconnor ashconnor Awaiting requested review from ashconnor

Assignees
No one assigned
Labels
backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. backport/1.17 This release series is no longer active on CE. Use backport/ent/1.17. pr/no-changelog PR does not need a corresponding .changelog entry
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zalimeni @dduzgun-security