Open MoChilia opened 1 month ago
The JP binary downloaded and installed in the CLI docker image is 0.1.7, however 0.2.1 has been available since 2021.
Trivy scans show there to be security problems with that old version:
usr/local/bin/jp (gobinary) =========================== Total: 3 (CRITICAL: 3) ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2022-23806 │ CRITICAL │ fixed │ 1.17.1 │ 1.16.14, 1.17.7 │ golang: crypto/elliptic: IsOnCurve returns true for invalid │ │ │ │ │ │ │ │ field elements │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23806 │ │ ├────────────────┤ │ │ ├─────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2023-24538 │ │ │ │ 1.19.8, 1.20.3 │ golang: html/template: backticks not treated as string │ │ │ │ │ │ │ │ delimiters │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24538 │ │ ├────────────────┤ │ │ ├─────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2023-24540 │ │ │ │ 1.19.9, 1.20.4 │ golang: html/template: improper handling of JavaScript │ │ │ │ │ │ │ │ whitespace │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24540 │ └─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘
FROM mcr.microsoft.com/azure-cli:2.61.0 as base
see description
See descripton
A more recent version of JP, or potentially a rebuild with fixed dependencies
NA
copy from https://github.com/Azure/azure-cli/issues/29171
This issue is related to security. Please pay attention.
Describe the bug
The JP binary downloaded and installed in the CLI docker image is 0.1.7, however 0.2.1 has been available since 2021.
Trivy scans show there to be security problems with that old version:
Related command
FROM mcr.microsoft.com/azure-cli:2.61.0 as base
Errors
see description
Issue script & Debug output
See descripton
Expected behavior
A more recent version of JP, or potentially a rebuild with fixed dependencies
Environment Summary
NA
Additional context
No response
copy from https://github.com/Azure/azure-cli/issues/29171