Vulnerabilities in built releases

[jayvdb]

Using https://github.com/anchore/syft & https://github.com/google/osv-scanner:

> wget https://github.com/DeepSourceCorp/cli/releases/download/v0.8.4/deepsource_0.8.4_linux_amd64.tar.gz
--2024-01-02 11:16:11--  https://github.com/DeepSourceCorp/cli/releases/download/v0.8.4/deepsource_0.8.4_linux_amd64.tar.gz
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/160353081/11faa02d-52d8-4c07-9465-744f4ef40dbe?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240102%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240102T031612Z&X-Amz-Expires=300&X-Amz-Signature=42c9bb6e08049ded12de93dc405b1ef38e7fba7aa6b6d1281764caf8f94d9307&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=160353081&response-content-disposition=attachment%3B%20filename%3Ddeepsource_0.8.4_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2024-01-02 11:16:12--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/160353081/11faa02d-52d8-4c07-9465-744f4ef40dbe?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240102%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240102T031612Z&X-Amz-Expires=300&X-Amz-Signature=42c9bb6e08049ded12de93dc405b1ef38e7fba7aa6b6d1281764caf8f94d9307&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=160353081&response-content-disposition=attachment%3B%20filename%3Ddeepsource_0.8.4_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9722430 (9.3M) [application/octet-stream]
Saving to: ‘deepsource_0.8.4_linux_amd64.tar.gz’

deepsource_0.8.4_linux_amd64.tar.gz                     100%[============================================================================================================================>]   9.27M  1.30MB/s    in 6.8s    

2024-01-02 11:16:20 (1.37 MB/s) - ‘deepsource_0.8.4_linux_amd64.tar.gz’ saved [9722430/9722430]

> syft packages deepsource_0.8.4_linux_amd64.tar.gz -o cyclonedx-xml > sbom.cdx.xml
 ✔ Indexed file system                                                                                                                                                                /tmp/syft-archive-contents-2500089600
 ✔ Cataloged packages              [47 packages]  
> osv-scanner --sbom sbom.cdx.xml 
Scanned /home/jayvdb/tmp/sbom.cdx.xml as CycloneDX SBOM and found 47 packages
╭─────────────────────────────────────┬──────┬───────────┬─────────────────────┬────────────────────────────────────┬──────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION                            │ SOURCE       │
├─────────────────────────────────────┼──────┼───────────┼─────────────────────┼────────────────────────────────────┼──────────────┤
│ https://osv.dev/GHSA-8c26-wmh5-6g9v │ 7.5  │ Go        │ golang.org/x/crypto │ v0.0.0-20211202192323-5770296d904e │ sbom.cdx.xml │
│ https://osv.dev/GO-2021-0356        │      │           │                     │                                    │              │
│ https://osv.dev/GHSA-45x7-px36-x8w8 │ 5.9  │ Go        │ golang.org/x/crypto │ v0.0.0-20211202192323-5770296d904e │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-2402        │      │           │                     │                                    │              │
│ https://osv.dev/GHSA-p782-xgp4-8hr8 │ 5.3  │ Go        │ golang.org/x/sys    │ v0.0.0-20211205182925-97ca703d548d │ sbom.cdx.xml │
│ https://osv.dev/GO-2022-0493        │      │           │                     │                                    │              │
│ https://osv.dev/GHSA-69ch-w2m2-3vjp │ 7.5  │ Go        │ golang.org/x/text   │ v0.3.7                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2022-1059        │      │           │                     │                                    │              │
│ https://osv.dev/GHSA-hp87-p4gw-j4gq │ 7.5  │ Go        │ gopkg.in/yaml.v3    │ v3.0.0-20210107192922-496545a6307b │ sbom.cdx.xml │
│ https://osv.dev/GO-2022-0603        │      │           │                     │                                    │              │
│ https://osv.dev/GO-2023-2375        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1568        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1569        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1570        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1571        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1621        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1702        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1703        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1704        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1705        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1751        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1752        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1753        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1840        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1878        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-1987        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-2041        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-2043        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-2102        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-2185        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-2186        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
│ https://osv.dev/GO-2023-2382        │      │ Go        │ stdlib              │ 1.19.5                             │ sbom.cdx.xml │
╰─────────────────────────────────────┴──────┴───────────┴─────────────────────┴────────────────────────────────────┴──────────────╯

[vishnu-deepsource]

Adding fixes in:

https://github.com/DeepSourceCorp/cli/pull/238 https://github.com/DeepSourceCorp/cli/pull/240

[vishnu-deepsource]

Fixed in https://github.com/DeepSourceCorp/cli/releases/tag/v0.8.6

Thanks for the report @jayvdb

[jayvdb]

Confirmed that this issue has been solved.