Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated go version #2154

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Updated go version #2154

wants to merge 1 commit into from

Conversation

kalpanathanneeru21
Copy link

tfsec showing couple of CRITICAL and HIGH CVE's in orca scan report with the latest version of tfsec.
Existing go version is 1.19
Fixed go versions are 1.22.4, 1.22.5

[2024-07-23T13:25:19.022Z]       "target": "usr/bin/tfsec",
[2024-07-23T13:25:19.022Z]       "category": "lang-pkgs",
[2024-07-23T13:25:19.022Z]       "type": "gobinary",
[2024-07-23T13:25:19.022Z]       "vulnerabilities": [
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2024-24790",
[2024-07-23T13:25:19.022Z]           "severity": "CRITICAL",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.21.11, 1.22.4",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "9.8",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2024-6257",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "github.com/hashicorp/go-getter",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "v1.7.4",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.7.5",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "8.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "INFO",
[2024-07-23T13:25:19.022Z]             "status": "SKIPPED",
[2024-07-23T13:25:19.022Z]             "exception": {
[2024-07-23T13:25:19.022Z]               "expiration": "2024/07/28"
[2024-07-23T13:25:19.022Z]             }
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2023-39325",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.20.10, 1.21.3",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2023-45283",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.20.11, 1.21.4, 1.20.12, 1.21.5",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2023-45287",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.20.0",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2024-24791",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.21.12, 1.22.5",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         }

@CLAassistant
Copy link

CLAassistant commented Jul 23, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@kalpanathanneeru21
Copy link
Author

any expected timeline to merge this PR.

@nikpivkin
Copy link

Hi @kalpanathanneeru21 !

The maintainer @simar7 is currently on holiday.

@kalpanathanneeru21
Copy link
Author

Any update on this.

@kalpanathanneeru21
Copy link
Author

what is blocking this PR to get merged.

@cHiv0rz
Copy link

cHiv0rz commented Sep 2, 2024

Just came here to say I'm interested as well on this PR be merged

@jdesouza
Copy link
Contributor

jdesouza commented Sep 25, 2024
edited
Loading

I believe we need go 1.22.7 because of:
CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156

@kalpanathanneeru21 would mind updating your PR to 1.22.7?

@kalpanathanneeru21
Copy link
Author

I believe we need go 1.22.7 because of: │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │ │ │ │ │ │ │ │ which contains deeply nested structures... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156

@kalpanathanneeru21 would mind updating your PR to 1.22.7?

Updated.

@simar7
Copy link
Member

simar7 commented Sep 28, 2024

@kalpanathanneeru21 looks like CI is failing.

@jdesouza
Copy link
Contributor

jdesouza commented Oct 4, 2024
edited
Loading

For those interested on this PR this one was released:
0da0caf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@kalpanathanneeru21 @CLAassistant @nikpivkin @cHiv0rz @jdesouza @simar7