MoChilia / ActionDemo

0 stars 1 forks source link

Azure CLI docker image builds with dated JP binary - test only #21

Open MoChilia opened 1 month ago

MoChilia commented 1 month ago

Describe the bug

The JP binary downloaded and installed in the CLI docker image is 0.1.7, however 0.2.1 has been available since 2021.

Trivy scans show there to be security problems with that old version:

usr/local/bin/jp (gobinary)
===========================
Total: 3 (CRITICAL: 3)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2022-23806 │ CRITICAL │ fixed  │ 1.17.1            │ 1.16.14, 1.17.7 │ golang: crypto/elliptic: IsOnCurve returns true for invalid │
│         │                │          │        │                   │                 │ field elements                                              │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2022-23806                  │
│         ├────────────────┤          │        │                   ├─────────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-24538 │          │        │                   │ 1.19.8, 1.20.3  │ golang: html/template: backticks not treated as string      │
│         │                │          │        │                   │                 │ delimiters                                                  │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-24538                  │
│         ├────────────────┤          │        │                   ├─────────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-24540 │          │        │                   │ 1.19.9, 1.20.4  │ golang: html/template: improper handling of JavaScript      │
│         │                │          │        │                   │                 │ whitespace                                                  │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-24540                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

Related command

FROM mcr.microsoft.com/azure-cli:2.61.0 as base

Errors

see description

Issue script & Debug output

See descripton

Expected behavior

A more recent version of JP, or potentially a rebuild with fixed dependencies

Environment Summary

NA

Additional context

No response

copy from https://github.com/Azure/azure-cli/issues/29171

github-actions[bot] commented 1 month ago

This issue is related to security. Please pay attention.