Vulnerabilities in latest package

[breneckd]

There are a few vulnerabilities that I found with my security scan twistlock which I will outline. The first two are straight forward but there is one I cannot figure out and maybe you can help.

1. There is also a crypto vuln outlined as v0.0.0-20200414173820-0848c9571904 which is fixed changing to this v0.0.0-20201216223049-8b5274cf687f CVE-2020-29652
2. Issue with jwt-go v3.2.0 which is fixed in here
3. This one I cannot figure out, there is 3 vuln in go 1.17.6 that are fixed in 1.17.7. I had a look into the image and it seems the smocker binary is causing this. I could not tell where 1.17.6 is used since the golang:1.17-alpine image actually uses 1.17.8. Is it possible because go.mod is set to go 1.15 it's causing this? For reference these are the vulnerabilities (CVE-2022-23806, CVE-2022-23773, CVE-2022-23772)

The strange part is I tested the scan on just the builder image and it did not give the same issues. One of the vuln is related to crypto/elliptic which I could not see this package defined anywhere and the vulnerablity did not come up when I scanned only the golang stage of the image. So wondering if this one could also be somehow related to the yarn step of the image.

[breneckd]

If you could review this PR#246. It addresses a few of the vulnerabilities and hopefully may give a better idea about where this go 1.17.6 is coming from.

[Thiht]

Be careful with these vulnerability scan tools, they often lack context.

• in the case of jwt-go, it's a dependency of the jwt echo middleware, which we don't use. Thus we're not impacted. I'll probably just update echo to v4 because it fixes the issue by migrating to another lib. And the v4 migration is overdue on our side :)
• in our case, /x/crypto is also used by echo, so updating to v4 will probably solve the warning too.
• the issues fixed in go 1.17.7 can simply be fixed by recompiling smocker with an updated go binary. This will be fixed in the next build since the CI uses the latest 1.17: https://github.com/Thiht/smocker/blob/master/.github/workflows/main.yml#L89

The go version in the go.mod file just represents the minimum required go version for building the project, it doesn't impact the build by itself.

I'll update echo to version 4 to fix all of theses at once :)

Thanks for the report

[breneckd]

Thanks for your response. I see that the last release for smocker was on feb 8 so hopefully you are right and it just needs a recompile, sounds like this could be the likely issue though.