Open octavian-mto opened 1 month ago
The jp (jmespath) dependency is stuck at version 0.2.1 (released in 2021) due to the maintainer not focusing on the project anymore. Since the executable is using an older version of go (1.17.1), it triggers container image scanners
jp
0.2.1
1.17.1
Here are the related bug reports on the jp side: https://github.com/jmespath/jp/issues/51 and https://github.com/jmespath/jp/issues/46
FROM mcr.microsoft.com/azure-cli
CVE-2021-38297 CVE-2023-24538 CVE-2024-24790 CVE-2023-24540 CVE-2023-29402 CVE-2023-29404 CVE-2023-29405
See above
No security vulnerabilities are reported when using mcr.microsoft.com/azure-cli
mcr.microsoft.com/azure-cli
# az --version azure-cli 2.62.0 core 2.62.0 telemetry 1.1.0 Dependencies: msal 1.28.1 azure-mgmt-resource 23.1.1 Python location '/usr/local/bin/python' Extensions directory '/root/.azure/cliextensions' Python (Linux) 3.11.9 (main, Jul 3 2024, 00:15:49) [GCC 13.2.1 20240309] Legal docs and information: aka.ms/AzureCliLegal
No response
Thank you for opening this issue, we will look into it.
Describe the bug
The
jp
(jmespath) dependency is stuck at version0.2.1
(released in 2021) due to the maintainer not focusing on the project anymore. Since the executable is using an older version of go (1.17.1
), it triggers container image scannersHere are the related bug reports on the
jp
side: https://github.com/jmespath/jp/issues/51 and https://github.com/jmespath/jp/issues/46Related command
FROM mcr.microsoft.com/azure-cli
Errors
CVE-2021-38297 CVE-2023-24538 CVE-2024-24790 CVE-2023-24540 CVE-2023-29402 CVE-2023-29404 CVE-2023-29405
Issue script & Debug output
See above
Expected behavior
No security vulnerabilities are reported when using
mcr.microsoft.com/azure-cli
Environment Summary
Additional context
No response