-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Go stdlib vuln - please upgrade go version #3839
Comments
Please attach the output from the vulnerability scan. |
|
Could you please clarify as I haven't worked with According to the go.mod reference (https://go.dev/ref/mod#go-mod-file-go) the version indicates that a module was written assuming the semantics of a given version of Go. In this we case we still assume go1.21 semantics (e.g. how loop variables are captured). |
Apologies for that - allow me to clarify. My comment about building alertmanager with golang 1.22.3 means that after we built alertmanager internally with a Go version higher than 1.22.1, the finding stopped being reported. What this tells me is that trivy can tell which version of Go was used to build the binary and will not report a finding for this vulnerability when built with Go 1.22.2 or higher even though the go.mod references Go 1.21 (1.21.0 is assumed, which has the vulnerability.) When the project's CI builds alert manager, if it's building with Go before 1.22.2 or before 1.21.9, then this vulnerability is potentially being shipped in alertmanager, but if it's not, then only people who build alert manager from source using a vulnerable version of Go are affected anyway and there's probably not much to worry about in that case since very few people outside of project contributors do so. |
What did you do?
Ran trivy vuln scan on alertmanager binary built from the
main
branch currentHEAD
commitc4a763c401742f410580df35a4eedb8daef2a219
What did you expect to see?
No CVEs
What did you see instead? Under which circumstances?
CVE for the go standard library
Environment
v0.27.0
We built with golang 1.22.3, however the go.mod requires minimum golang 1.21. In order to help mitigate these findings for future builds, I think we should bump the minimum go version in go.mod to 1.22.3 for the future releases.
The text was updated successfully, but these errors were encountered: