Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated go version #2154

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

kalpanathanneeru21
Copy link

tfsec showing couple of CRITICAL and HIGH CVE's in orca scan report with the latest version of tfsec.
Existing go version is 1.19
Fixed go versions are 1.22.4, 1.22.5

[2024-07-23T13:25:19.022Z]       "target": "usr/bin/tfsec",
[2024-07-23T13:25:19.022Z]       "category": "lang-pkgs",
[2024-07-23T13:25:19.022Z]       "type": "gobinary",
[2024-07-23T13:25:19.022Z]       "vulnerabilities": [
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2024-24790",
[2024-07-23T13:25:19.022Z]           "severity": "CRITICAL",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.21.11, 1.22.4",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "9.8",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2024-6257",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "github.com/hashicorp/go-getter",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "v1.7.4",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.7.5",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "8.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "INFO",
[2024-07-23T13:25:19.022Z]             "status": "SKIPPED",
[2024-07-23T13:25:19.022Z]             "exception": {
[2024-07-23T13:25:19.022Z]               "expiration": "2024/07/28"
[2024-07-23T13:25:19.022Z]             }
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2023-39325",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.20.10, 1.21.3",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2023-45283",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.20.11, 1.21.4, 1.20.12, 1.21.5",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2023-45287",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.20.0",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2024-24791",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.21.12, 1.22.5",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         }

@CLAassistant
Copy link

CLAassistant commented Jul 23, 2024

CLA assistant check
All committers have signed the CLA.

@kalpanathanneeru21
Copy link
Author

any expected timeline to merge this PR.

@nikpivkin
Copy link

Hi @kalpanathanneeru21 !

The maintainer @simar7 is currently on holiday.

@kalpanathanneeru21
Copy link
Author

Any update on this.

@kalpanathanneeru21
Copy link
Author

what is blocking this PR to get merged.

@cHiv0rz
Copy link

cHiv0rz commented Sep 2, 2024

Just came here to say I'm interested as well on this PR be merged

@jdesouza
Copy link
Contributor

jdesouza commented Sep 25, 2024

I believe we need go 1.22.7 because of:
CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156

@kalpanathanneeru21 would mind updating your PR to 1.22.7?

@kalpanathanneeru21
Copy link
Author

I believe we need go 1.22.7 because of: │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │ │ │ │ │ │ │ │ which contains deeply nested structures... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156

@kalpanathanneeru21 would mind updating your PR to 1.22.7?

Updated.

@simar7
Copy link
Member

simar7 commented Sep 28, 2024

@kalpanathanneeru21 looks like CI is failing.

@jdesouza
Copy link
Contributor

jdesouza commented Oct 4, 2024

For those interested on this PR this one was released:
0da0caf

Copy link

github-actions bot commented Nov 4, 2024

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 365 days.

@github-actions github-actions bot added the stale Stale issues will be closed within 7 days of this label being assigned label Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stale Stale issues will be closed within 7 days of this label being assigned
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants