burke
commented
2 years ago Perfect, thanks for the contribution!
Closed thepwagner closed 2 years ago
burke
commented
2 years ago Perfect, thanks for the contribution!
Upgrade golang.org/x/crypto around
v0.0.0-20201203163018-be400aefbc4cto mitigate CVE-2020-29652This issue is not a practical concern for ejson, but the upgrade will avoid false positives: a high severity alert in a core component like
ejsonraised my eyebrow at least.I am a human Dependabot 🤖 .
Scans using https://github.com/aquasecurity/trivy -
Pre
``` $ ~/go/bin/trivy filesystem . 2021-10-05T07:17:22.654-0400 INFO Number of language-specific files: 2 2021-10-05T07:17:22.654-0400 INFO Detecting bundler vulnerabilities... 2021-10-05T07:17:22.656-0400 INFO Detecting gomod vulnerabilities... Gemfile.lock (bundler) ====================== Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) go.sum (gomod) ============== Total: 4 (UNKNOWN: 2, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0) +---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+ | golang.org/x/crypto | CVE-2020-29652 | HIGH | 0.0.0-20200604202706-70a84ac30bf9 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted | | | | | | | authentication request can | | | | | | | lead to nil pointer dereference | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29652 | +---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+ | gopkg.in/yaml.v2 | CVE-2019-11254 | MEDIUM | 2.2.2 | v2.2.8 | kubernetes: Denial of | | | | | | | service in API server via | | | | | | | crafted YAML payloads by... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-11254 | + +------------------+----------+ +------------------------------------+---------------------------------------+ | | GMS-2019-2 | UNKNOWN | | v2.2.3 | XML Entity Expansion | + +------------------+ + + +---------------------------------------+ | | GO-2021-0061 | | | | | +---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+ ```
Post
``` $ ~/go/bin/trivy filesystem . 2021-10-05T07:17:51.451-0400 INFO Number of language-specific files: 2 2021-10-05T07:17:51.452-0400 INFO Detecting gomod vulnerabilities... 2021-10-05T07:17:51.452-0400 INFO Detecting bundler vulnerabilities... Gemfile.lock (bundler) ====================== Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) go.sum (gomod) ============== Total: 3 (UNKNOWN: 2, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) +------------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------+------------------+----------+-------------------+---------------+---------------------------------------+ | gopkg.in/yaml.v2 | CVE-2019-11254 | MEDIUM | 2.2.2 | v2.2.8 | kubernetes: Denial of | | | | | | | service in API server via | | | | | | | crafted YAML payloads by... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-11254 | + +------------------+----------+ +---------------+---------------------------------------+ | | GMS-2019-2 | UNKNOWN | | v2.2.3 | XML Entity Expansion | + +------------------+ + + +---------------------------------------+ | | GO-2021-0061 | | | | | +------------------+------------------+----------+-------------------+---------------+---------------------------------------+ ```
Related