Merge branch 'kyma-project:main' into main
Security Report
| CVE | Severity |  CVSS Score |
Exploit Maturity | EPSS | Vulnerable Library | Suggested Fix | Issue | Reachability |
|---|---|---|---|---|---|---|---|---|
CVE-2024-21664Path to dependency file: /tests/components/application-connector/go.mod Path to vulnerable library: /go/pkg/mod/cache/download/github.com/lestrrat-go/jwx/@v/v1.2.28.mod Dependency Hierarchy: -> github.com/kyma-incubator/compass/components/director-v0.0.0-20240311095305-43ec866d6b0c (Root Library) -> github.com/kyma-incubator/compass/components/hydrator-v0.0.0-20240228074947-02a81b1e3bf8 -> ❌ github.com/lestrrat-go/jwx-v1.2.28 (Vulnerable Library) |
 High |
8.7 | Not Defined | 0.1% | github.com/lestrrat-go/jwx-v1.2.28 | Upgrade to version: v1.2.28, v2.0.19 | #113 | |
CVE-2023-45288Path to dependency file: /tests/components/application-connector/go.mod Path to vulnerable library: /tests/components/application-connector/go.mod,/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.0.0-20221014081412-f15817d10f9b.mod Dependency Hierarchy: -> k8s.io/cliEnt-go-v0.26.9 (Root Library) -> ❌ golang.org/x/net-v0.0.0-20221014081412-f15817d10f9b (Vulnerable Library) |
High |
8.7 | Not Defined | 0.0% | golang.org/x/net-v0.0.0-20221014081412-f15817d10f9b | Upgrade to version: golang/net - v0.23.0 | #112 | |
CVE-2023-39325Path to dependency file: /tests/components/application-connector/go.mod Path to vulnerable library: /tests/components/application-connector/go.mod,/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.0.0-20221014081412-f15817d10f9b.mod Dependency Hierarchy: -> k8s.io/cliEnt-go-v0.26.9 (Root Library) -> ❌ golang.org/x/net-v0.0.0-20221014081412-f15817d10f9b (Vulnerable Library) |
High |
8.7 | Not Defined | 0.2% | golang.org/x/net-v0.0.0-20221014081412-f15817d10f9b | Upgrade to version: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0 | #112 | |
CVE-2022-41721Path to dependency file: /tests/components/application-connector/go.mod Path to vulnerable library: /tests/components/application-connector/go.mod,/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.0.0-20221014081412-f15817d10f9b.mod Dependency Hierarchy: -> k8s.io/cliEnt-go-v0.26.9 (Root Library) -> ❌ golang.org/x/net-v0.0.0-20221014081412-f15817d10f9b (Vulnerable Library) |
High |
8.7 | Not Defined | 0.1% | golang.org/x/net-v0.0.0-20221014081412-f15817d10f9b | Upgrade to version: v0.2.0 | #112 | |
CVE-2024-28122Path to dependency file: /tests/components/application-connector/go.mod Path to vulnerable library: /go/pkg/mod/cache/download/github.com/lestrrat-go/jwx/@v/v1.2.28.mod Dependency Hierarchy: -> github.com/kyma-incubator/compass/components/director-v0.0.0-20240311095305-43ec866d6b0c (Root Library) -> github.com/kyma-incubator/compass/components/hydrator-v0.0.0-20240228074947-02a81b1e3bf8 -> ❌ github.com/lestrrat-go/jwx-v1.2.28 (Vulnerable Library) |
High |
8.2 | Not Defined | 0.0% | github.com/lestrrat-go/jwx-v1.2.28 | Upgrade to version: v1.2.29,v2.0.21 | #113 | |
CVE-2023-48795Path to dependency file: /tests/components/application-connector/go.mod Path to vulnerable library: /tests/components/application-connector/go.mod,/go/pkg/mod/cache/download/golang.org/x/crypto/@v/v0.0.0-20221012134737-56aed061732a.mod Dependency Hierarchy: -> github.com/kyma-incubator/compass/components/director-v0.0.0-20240311095305-43ec866d6b0c (Root Library) -> github.com/MasterMinds/sprig/v3-v3.2.3 -> ❌ golang.org/x/crypto-v0.0.0-20221012134737-56aed061732a (Vulnerable Library) |
High |
8.2 | Not Defined | 96.200005% | golang.org/x/crypto-v0.0.0-20221012134737-56aed061732a | Upgrade to version: putty - 0.80, openssh - V_9_6_P1, golang/crypto - v0.17.0, asyncssh - 2.14.2, libssh-0.9.8, libssh-0.10.6, teraterm - v5.1, paramiko - 3.4.0, russh - 0.40.2, com.github.mwiede:jsch:0.2.15, proftpd - v1.3.8b, thrussh - 0.35.1, teraterm - v5.1, org.connectbot:sshlib:2.2.22, mscdex/ssh2 - 1.15.0, jtesta/ssh-audit - v3.1.0, Oryx-Embedded/CycloneSSH - v2.3.4, opnsense/src - 23.7, winscp - 6.2.2, PowerShell/openssh-portable - v9.5.0.0 | #113 | |
CVE-2024-24786Path to dependency file: /components/central-application-gateway/go.mod Path to vulnerable library: /go/pkg/mod/cache/download/google.golang.org/protobuf/@v/v1.28.1.mod,/go/pkg/mod/cache/download/google.golang.org/protobuf/@v/v1.28.1.mod Dependency Hierarchy: -> k8s.io/cliEnt-go-v0.26.7 (Root Library) -> github.com/google/gnostic-v0.5.7-v3refs -> ❌ google.golang.org/protobuf-v1.28.1 (Vulnerable Library) |
High |
7.1 | Not Defined | 0.0% | google.golang.org/protobuf-v1.28.1 | Upgrade to version: v1.33.0 | #23 | |
CVE-2023-3978Path to dependency file: /tests/components/application-connector/go.mod Path to vulnerable library: /tests/components/application-connector/go.mod,/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.0.0-20221014081412-f15817d10f9b.mod Dependency Hierarchy: -> k8s.io/cliEnt-go-v0.26.9 (Root Library) -> ❌ golang.org/x/net-v0.0.0-20221014081412-f15817d10f9b (Vulnerable Library) |
 Medium |
5.3 | Not Defined | 0.1% | golang.org/x/net-v0.0.0-20221014081412-f15817d10f9b | Upgrade to version: v0.13.0 | #112 |
Total libraries scanned: 148
Scan token: f383fd8e96df4ba99e2e0c122dc7a95e