[BUG] Security vulnerabilities

[mindflayer]

Describe the bug I am switching to using a hardened Docker image for Ubuntu provided by Canonical to get rid of all the CVEs. My image is now free of vulnerabilities apart from the two brought by doppler and detected by trivy.

To Reproduce

$ trivy --version
Version: 0.18.3
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2021-06-22 00:05:00.051809127 +0000 UTC
  NextUpdate: 2021-06-22 06:05:00.051808727 +0000 UTC
  DownloadedAt: 2021-06-22 10:08:26.510496673 +0000 UTC
$ trivy image <IMAGE_NAME>
2021-06-22T12:14:55.914+0200    INFO    Detected OS: ubuntu
2021-06-22T12:14:55.914+0200    WARN    This OS version is not on the EOL list: ubuntu 21.10
2021-06-22T12:14:55.914+0200    INFO    Detecting Ubuntu vulnerabilities...
2021-06-22T12:14:55.915+0200    INFO    Number of PL dependency files: 3
2021-06-22T12:14:55.915+0200    INFO    Detecting jar vulnerabilities...
2021-06-22T12:14:55.915+0200    INFO    Detecting gobinary vulnerabilities...
2021-06-22T12:14:55.915+0200    WARN    This OS version is no longer supported by the distribution: ubuntu 21.10
2021-06-22T12:14:55.915+0200    WARN    The vulnerability detection may be insufficient because security updates are not provided

<IMAGE_NAME>:latest (ubuntu 21.10)
===================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

usr/bin/doppler
===============
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

+---------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION            |                 TITLE                 |
+---------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2020-29652   | HIGH     | v0.0.0-20190530122614-20be4c3c3ed5 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted           |
|                     |                  |          |                                    |                                    | authentication request can            |
|                     |                  |          |                                    |                                    | lead to nil pointer dereference       |
|                     |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2020-29652 |
+                     +------------------+          +                                    +------------------------------------+---------------------------------------+
|                     | CVE-2020-9283    |          |                                    | v0.0.0-20200220183623-bac4c82f6975 | golang.org/x/crypto: Processing       |
|                     |                  |          |                                    |                                    | of crafted ssh-ed25519                |
|                     |                  |          |                                    |                                    | public keys allows for panic          |
|                     |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2020-9283  |
+---------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+

Expected behavior No vulnerabilities shown.

[Piccirello]

Thanks for reporting this. We're not using any of the affected functionality, but will put up a fix shortly.

[Piccirello]

Doppler CLI v3.27.1 has been published with this fix.

[mindflayer]

Many thanks!