benhoyt
commented
3 months ago Though I believe this CVE doesn't actually affect Pebble, I have no problems merging this -- thanks.
However, I also need to fix the Snap versioning before this goes out to the snap. Currently the (recent) snap versions are showing as hex commit hashes rather than version numbers (even for releases). I'll work on figuring this out today.
Although not shown in the CI (because Trivy is being run with
trivy fs, which doesn't consider the Pebble binary), there currently is a reported CVE in the Pebble snap (CVE-2024-24790).This CVE seems to have been fixed on newer versions of Go, but we are still using Go 1.20 to build the Pebble snap.
This PR bumps this build dependency to Go 1.22.