ptnapoleon
commented
1 month ago I'll do so, but that's actually only the version used to build for CI. The version we build images for release with is here: https://github.com/DataDog/chaos-controller/pull/883/commits/ec235ddc8e030c511dbdd32498c4be572e1c567f
Our internal security scanning has flagged a couple of security vulnerabilities, please can we bump this build image to 1.22.5?
https://github.com/DataDog/chaos-controller/blob/ff15282d3fa53c36ac7ba644a41c0b177f1b3e2a/.circleci/config.yml#L83
CVE-2024-24790 https://nvd.nist.gov/vuln/detail/CVE-2024-24790 is fixed in 1.22.4, but 1.22.5 fixed CVE-2024-24791 https://go.dev/doc/devel/release#go1.22.minor (also see https://groups.google.com/g/golang-announce/c/gyb7aM1C9H4?pli=1). This second CVE hasn't been ranked as critical, but would be great to remove both at the same time.
Thanks