Bump golang.org/x/sys to newer version

FiloSottile / age

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

https://age-encryption.org

BSD 3-Clause "New" or "Revised" License

17.05k stars 500 forks source link

Bump golang.org/x/sys to newer version #458

Closed joaopapereira closed 1 year ago

joaopapereira commented 1 year ago

During a trivy scan, a vulnerability was found https://avd.aquasec.com/nvd/2022/cve-2022-29526/ in age library. This doesn't look like it impacts the library itself but we are bumping this dependency to ensure we do not have false negatives.

alerque commented 1 year ago

What is a "false negative" and how does bumping a dependency that you already determined does not effect this library make it more secure?

FiloSottile commented 1 year ago

age is not affected by CVE-2022-29526.

My firm position is that upgrading everything that depends on a widely used module every time it publishes a vulnerability affecting a small subset of users is counter-productive, as it discourages publishing vulnerabilities and generates busywork.