search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.97k stars 2.95k forks source link

Azure CLI docker image jp dependency is dated and triggers security scanners #29509

Open octavian-mto opened 1 month ago

octavian-mto commented 1 month ago

Describe the bug

The jp (jmespath) dependency is stuck at version 0.2.1 (released in 2021) due to the maintainer not focusing on the project anymore. Since the executable is using an older version of go (1.17.1), it triggers container image scanners

Here are the related bug reports on the jp side: https://github.com/jmespath/jp/issues/51 and https://github.com/jmespath/jp/issues/46

Related command

FROM mcr.microsoft.com/azure-cli

Errors

CVE-2021-38297 CVE-2023-24538 CVE-2024-24790 CVE-2023-24540 CVE-2023-29402 CVE-2023-29404 CVE-2023-29405

Issue script & Debug output

See above

Expected behavior

No security vulnerabilities are reported when using mcr.microsoft.com/azure-cli

Environment Summary

# az --version
azure-cli                         2.62.0

core                              2.62.0
telemetry                          1.1.0

Dependencies:
msal                              1.28.1
azure-mgmt-resource               23.1.1

Python location '/usr/local/bin/python'
Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.11.9 (main, Jul  3 2024, 00:15:49) [GCC 13.2.1 20240309]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response

yonzhan commented 1 month ago

Thank you for opening this issue, we will look into it.