search

aws / aws-lambda-base-images

Apache License 2.0
669 stars 110 forks source link

Dotnet 6 Security Vunrabilities #94

Open CDickinson100 opened 1 year ago

CDickinson100 commented 1 year ago 
┌────────────┬──────────────────────┬────────────┬────────────┬────────────────┬─────────────┐
│ SEVERITY   │ IMPACTED             │ IMPACTED   │ FIXED      │ CVE            │ XRAY        │
│            │ PACKAGE              │ PACKAGE    │ VERSIONS   │                │ ISSUE       │
│            │                      │ VERSION    │            │                │ ID          │
├────────────┼──────────────────────┼────────────┼────────────┼────────────────┼─────────────┤
│ Critical   │ github.com/golang/go │ 1.18.9     │ [1.19.8]   │ CVE-2023-24538 │ XRAY-513412 │
│            │                      │            │ [1.20.3]   │                │             │
├────────────┼──────────────────────┼────────────┼────────────┼────────────────┼─────────────┤
│ High       │ github.com/golang/go │ 1.18.9     │ [1.19.8]   │ CVE-2023-24537 │ XRAY-513413 │
│            │                      │            │ [1.20.3]   │                │             │
├────────────┼──────────────────────┼────────────┼────────────┼────────────────┼─────────────┤
│ High       │ github.com/golang/go │ 1.18.9     │ [1.19.8]   │ CVE-2023-24536 │ XRAY-513414 │
│            │                      │            │ [1.20.3]   │                │             │
├────────────┼──────────────────────┼────────────┼────────────┼────────────────┼─────────────┤
│ High       │ github.com/golang/go │ 1.18.9     │ [1.19.8]   │ CVE-2023-24534 │ XRAY-513415 │
│            │                      │            │ [1.20.3]   │                │             │
├────────────┼──────────────────────┼────────────┼────────────┼────────────────┼─────────────┤
│ High       │ github.com/golang/go │ 1.18.9     │ [1.19.6]   │ CVE-2022-41725 │ XRAY-426747 │
│            │                      │            │ [1.20.1]   │                │             │
├────────────┼──────────────────────┼────────────┼────────────┼────────────────┼─────────────┤
│ High       │ github.com/golang/go │ 1.18.9     │ [1.19.6]   │ CVE-2022-41724 │ XRAY-426748 │
│            │                      │            │ [1.20.1]   │                │             │
├────────────┼──────────────────────┼────────────┼────────────┼────────────────┼─────────────┤
│ High       │ github.com/golang/go │ 1.18.9     │ [1.19.6]   │ CVE-2022-41722 │ XRAY-426750 │
│            │                      │            │ [1.20.1]   │                │             │
└────────────┴──────────────────────┴────────────┴────────────┴────────────────┴─────────────┘

The current dotnet 6 base image has the following security vunrabilities, could we bump golang to a later verson?

Also it seems like alot of people are reporting security vunrabilities in these base images, would it be worth adding an automatic scanning pipeline to flag these?

cdschneider commented 1 year ago

@CDickinson100 have you tried following the documented vulnerability reporting process if you haven't gotten any response on this issue?

Our team is also curious about the state of this as well -- let me know if there's anything I can do to help move this along!