Open matthias2 opened 1 month ago
Is there any eta on this? Do you mind explaining why a critical CVE is marked as a normal
priority?
Is it applicable in this case? Is a vulnerable function of stdlib being used?
"but your code doesn't appear to call these vulnerabilities."
Here is your answer. This is a non-serious issue and should be fixed with normal priority.
Hi There, I'm Itay from Aqua Security, creators of popular OSS vulnerability scanner Trivy. This issue was flagged for me and I wanted to chime in to add that Trivy now allows software maintainers (you) to publish vulnerability analysis about your software (packages, libraries, container images) so that vulnerability scanners will automatically suppress those irrelevant vulnerabilities for end users. You can read more here: https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents https://github.com/aquasecurity/vexhub This might be a good opportunity to add a VEX statement to suppress this irrelevant vulnerability, so that your users who scan your artifact with Trivy, or other VEX-enabled scanners, will have peace of mind that your are aware of it and concluded it not relevant. Feel free to reach me or the Trivy team if you have any issues/feedback.
Describe the bug Cloudflared is vulnerable to the stdlib that is in the Golang 1.22.2 version in module net/netip. It is
9.8/10
critical as shown in the vulnerability CVE-2024-24790.To Reproduce Steps to reproduce the behavior:
Expected behavior No Vulns show up.
Environment and versions
Additional context Upgrade Golang version to at least 1.22.4