Backport of security: triage false positive for go-jose/v3 into release/1.18.1 #20907

zalimeni · 2024-03-26T21:41:26Z

Backport

This PR is a manual backport of #20901.

The below text is copied from the body of the original PR.

Per https://osv.dev/vulnerability/GO-2024-2631 this vulnerability is not present in the version currently used (go-jose/v3@3.0.3).

I'm suspicious that the Introduced 0 version in the OSV entry is why we're flagging the fix version as invalid. Just a guess.

This unblocks the Consul patch release currently underway.

CI continues to pass including Security Scan check.

Overview of commits

backport of commit c8d6b25

56264a9

zalimeni requested review from david-yu, NicoletaPopoviciu, xwa153 and a team March 26, 2024 21:41

zalimeni requested a review from a team as a code owner March 26, 2024 21:41

zalimeni requested review from shore and claire-labry and removed request for a team March 26, 2024 21:41

xwa153 approved these changes Mar 26, 2024

View reviewed changes

xwa153 added the pr/no-backport label Mar 26, 2024

zalimeni added the pr/no-changelog PR does not need a corresponding .changelog entry label Mar 26, 2024

zalimeni enabled auto-merge (squash) March 26, 2024 21:53

zalimeni merged commit 98cb473 into release/1.18.1 Mar 26, 2024
90 of 91 checks passed

zalimeni deleted the backport/zalimeni/add-security-triage-go-jose-cve-false-positive--1.18.1 branch March 26, 2024 21:59