Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE(s) found #2110

Closed
github-actions bot opened this issue Mar 28, 2024 · 5 comments · Fixed by #2105 or #2097
Closed

CVE(s) found #2110

github-actions bot opened this issue Mar 28, 2024 · 5 comments · Fixed by #2105 or #2097
Labels
cve type/bug Issue that reports an unexpected behaviour.
Milestone
0.34.1

Comments

@github-actions
Copy link

Latest buildpacksio/pack v0.33.2 triggered CVE(s) from Grype. For further details, see: https://github.com/buildpacks/pack/actions/runs/8461426079
@github-actions github-actions bot added cve status/triage Issue or PR that requires contributor attention. type/bug Issue that reports an unexpected behaviour. labels Mar 28, 2024
@vivekcode101
Copy link

I did the scan of the pack cli
getting the same CVE's
also , how do I create the pack cli through this repo on my local machine so that I can contribute more in it.

Screenshot 2024-04-10 215157

@jjbustamante jjbustamante added status/in-progress Issue or PR that is currently in progress. and removed status/triage Issue or PR that requires contributor attention. labels Apr 10, 2024
This was referenced Apr 10, 2024
Merged
Merged
@jjbustamante
Copy link
Member

Hi @vivekcode101

Thanks for being interested in this issue, we merged the dependencies already and it will be fixed with pack 0.34.0. If you want to compile the binaries locally follow the steps here and you can look for issues with the label good-first-issue to pick something that you find interesting to work on.

@vivekcode101
Copy link

vivekcode101 commented Apr 12, 2024
edited

Thanks for the response @jjbustamante .
Just a quick side note, are the stdlib CVE's which were found in the scan also removed . Because the merged pr only shows for the protobuf and anchore/stereoscope.
And if they are removed can you provide any reference how did you guys resolved that issue.

@jjbustamante
Copy link
Member

The standard libraries are related to go version used to compile pack during the release. We are using golang 1.21.x but I will check before releasing 0.34.0

Locally I can double check in this way

Screenshot 2024-04-12 at 11 10 51 AM
  • I'm using go 1.22.2
  • Latest pack binary was compiled using go 1.21.7
  • Compiling pack with go 1.22.2 and current dependencies is free of CVEs

pack image artifacts are created using distroless and ubuntu jammy see the workflow here

@jjbustamante jjbustamante removed the status/in-progress Issue or PR that is currently in progress. label May 31, 2024
@jjbustamante
Copy link
Member

Fixed with 0.34.0 and 0.34.1 (docker hub)

Screenshot 2024-05-31 at 5 37 06 AM

@jjbustamante jjbustamante added this to the 0.34.1 milestone May 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve type/bug Issue that reports an unexpected behaviour.
Projects
None yet
Milestone
0.34.1
2 participants
@jjbustamante @vivekcode101