You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are a few vulnerabilities that I found with my security scan twistlock which I will outline. The first two are straight forward but there is one I cannot figure out and maybe you can help.
There is also a crypto vuln outlined as v0.0.0-20200414173820-0848c9571904 which is fixed changing to this v0.0.0-20201216223049-8b5274cf687fCVE-2020-29652
This one I cannot figure out, there is 3 vuln in go 1.17.6 that are fixed in 1.17.7. I had a look into the image and it seems the smocker binary is causing this. I could not tell where 1.17.6 is used since the golang:1.17-alpine image actually uses 1.17.8. Is it possible because go.mod is set to go 1.15 it's causing this? For reference these are the vulnerabilities (CVE-2022-23806, CVE-2022-23773, CVE-2022-23772)
The strange part is I tested the scan on just the builder image and it did not give the same issues. One of the vuln is related to crypto/elliptic which I could not see this package defined anywhere and the vulnerablity did not come up when I scanned only the golang stage of the image. So wondering if this one could also be somehow related to the yarn step of the image.
The text was updated successfully, but these errors were encountered:
If you could review this PR#246. It addresses a few of the vulnerabilities and hopefully may give a better idea about where this go 1.17.6 is coming from.
Be careful with these vulnerability scan tools, they often lack context.
in the case of jwt-go, it's a dependency of the jwt echo middleware, which we don't use. Thus we're not impacted. I'll probably just update echo to v4 because it fixes the issue by migrating to another lib. And the v4 migration is overdue on our side :)
in our case, /x/crypto is also used by echo, so updating to v4 will probably solve the warning too.
Thanks for your response. I see that the last release for smocker was on feb 8 so hopefully you are right and it just needs a recompile, sounds like this could be the likely issue though.
There are a few vulnerabilities that I found with my security scan twistlock which I will outline. The first two are straight forward but there is one I cannot figure out and maybe you can help.
crypto
vuln outlined asv0.0.0-20200414173820-0848c9571904
which is fixed changing to thisv0.0.0-20201216223049-8b5274cf687f
CVE-2020-29652jwt-go v3.2.0
which is fixed in heresmocker
binary is causing this. I could not tell where 1.17.6 is used since thegolang:1.17-alpine
image actually uses 1.17.8. Is it possible becausego.mod
is set to go 1.15 it's causing this? For reference these are the vulnerabilities (CVE-2022-23806, CVE-2022-23773, CVE-2022-23772)The strange part is I tested the scan on just the builder image and it did not give the same issues. One of the vuln is related to
crypto/elliptic
which I could not see this package defined anywhere and the vulnerablity did not come up when I scanned only the golang stage of the image. So wondering if this one could also be somehow related to the yarn step of the image.The text was updated successfully, but these errors were encountered: