Open echoix opened 1 week ago
thanks, seems the trivy scan in my build doesn't report this CVE (but it reports something else)
use the sample command in your link, I duplicated the check report locally
trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --scanners vuln --severity CRITICAL,HIGH --timeout 10m0s alpine/terragrunt
Let me check
alpine/terragrunt (alpine 3.20.0)
Total: 0 (HIGH: 0, CRITICAL: 0)
bin/terraform (gobinary)
Total: 1 (HIGH: 1, CRITICAL: 0)
┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-6257 │ HIGH │ v1.7.4 │ 1.7.5 │ hashicorp/go-getter: Arbitrary command execution through │
│ │ │ │ │ │ local git config file │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-6257 │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
usr/local/bin/boilerplate (gobinary)
Total: 2 (HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-6257 │ HIGH │ v1.7.4 │ 1.7.5 │ hashicorp/go-getter: Arbitrary command execution through │
│ │ │ │ │ │ local git config file │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-6257 │
├────────────────────────────────┼─────────────────────┤ ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-m425-mq94-257g │ │ v1.50.1 │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability │
│ │ │ │ │ │ https://github.com/advisories/GHSA-m425-mq94-257g │
└────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────┘
usr/local/bin/terragrunt (gobinary)
Total: 1 (HIGH: 1, CRITICAL: 0)
┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-6257 │ HIGH │ v1.7.4 │ 1.7.5 │ hashicorp/go-getter: Arbitrary command execution through │
│ │ │ │ │ │ local git config file │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-6257 │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
Ah, the grpc one is already in our trivyignore, as we couldn't do anything about it at the time.
frankly I am not sure how to fix this CVE.
$ docker run -ti --rm alpine/terragrunt terraform --version
Terraform v1.9.0
on linux_amd64
$ docker run -ti --rm alpine/terragrunt terragrunt --version
terragrunt version v0.59.6
Both terraform and terragrunt versions are latest in alpine/terragrunt
, maybe you need reach the their owners for help?
There was a CVE (High severity) on a dependency hashicorp/go-getter that is fixed in their version 1.7.5.
Using trivy to scan a container, we can see that this image contains the version v1.7.1.
If we want terragrunt, we now know that their latest release uses v1.7.5. See https://github.com/gruntwork-io/terragrunt/releases/tag/v0.59.6
My request is: is it possible to relaunch a new build without a terraform release, ideally manually, in order to get a new image with a fixed version?
See failures similar to this one https://github.com/oxsecurity/megalinter/actions/runs/9704027962/job/26783423895?pr=3703 since yesterday.