Closed agarcia-oss closed 2 years ago
Fwiw the only functionality we use from golang.org/x/crypto/ssh is the function that computes a RSA pub key fingerprint.
The price to pay for automated dependency scanners is a lot of false positives.
That said, keeping these deps up to date (possibly by bots) as to silence automated security scanners is a good idea.
Indeed, this task only needs to evaluate the trade-off of updating that dependency. If by doing that we just manage to keep our dependencies up to date and avoid false positives scanning results on third parties, all the better.
Yeah, keeping the dependencies up-to-date by default "no-questions-asked" as long as tests pass, is a winning strategy. Evaluating the trade-off for every update is strategy that doesn't scale.
Which component:
sealed-secrets-controller
v0.17.5Describe the bug Trivy scan detects the occurrence of the CVE-2022-27191 vulnerability in the latest image of the controller:
To Reproduce Steps to reproduce the behaviour:
Expected behaviour Analize the vulnerability and decide on how to address it. (Update the dependencies if needed).