This repository has been archived by the owner on Dec 15, 2022. It is now read-only.
Fix security vulnerabilities by using Go 1.19 #295
Labels
bug
Something isn't working
Comments
|
From my reading, seems like the minimum Go version that'd remove these CVEs is v1.18.1 , right @nimish22 ? |
|
@muvaf Thank you for your quick reply and apologies for the confusion! Twistlock scan has revealed 18 high vulnerabilities. I have updated the complete list above. The lowest version where these CVEs are resolved is Go 1.18.4 and Go 1.17.12. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What happened?
Security vulnerability scanners like Twistlock and Snyk are reporting security vulnerabilities as terrajet uses <= Go 1.17 to build images. These security vulnerabilities are classified as critical and high severity and are preventing us from using the built images. Some of the CVEs are:
CVE-2021-44716
CVE-2021-41771
CVE-2022-28327
CVE-2022-24675
CVE-2022-24921
CVE-2022-23773
CVE-2022-23772
CVE-2022-23806
CVE-2022-28131
CVE-2022-30580
CVE-2022-30633
CVE-2022-30635
CVE-2022-30629
CVE-2022-30630
CVE-2022-30632
CVE-2022-32189
CVE-2022-30631
CVE-2021-41772
How can we reproduce it?
Point the Snyk to the Git repository to run scurity scan (eg: https://github.com/crossplane-contrib/provider-jet-datadog, https://github.com/crossplane/terrajet). The report points out the security vulnerabilities.
Potential fix?
These CVEs can be resolved by using the Go 1.19.
The text was updated successfully, but these errors were encountered: