Closed davexunit closed 2 years ago
I can see that the issue was fixed with the merging of #497 but what is the timeline for this fix making into, say, the binary download available via https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 ?
It should be available once https://github.com/codeclimate/test-reporter/pull/500 goes in. I would say today/tomorrow.
Okay, thank you!
Hey @davexunit , version 0.10.4 is out! Sorry for the delay, we had some incidents last week that took our full capacity
Hi guys. Not sure if the binaries are actually being updated with the latest builds. This CVE is still showing for me.
Steps to reproduce it:
FROM alpine:3.17.2
RUN wget --quiet https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 -O /usr/local/bin/cc-test-reporter \ && chmod +x /usr/local/bin/cc-test-reporter
2. Run a Docker scan
```bash
docker build -t cc-reporter-cve-test . && docker scout cves cc-reporter-cve-test
It comes back with the crypto
CVEs that were supposably patched:
However, when I built the binary from my machine and copied it over to the Docker image it reported no CVEs. So I wonder if the binaries are being updated on CodeClimate's website.
My company uses AWS Inspector to scan the container images we use in our CI environment and we are seeing a number of vulnerabilities in the latest version (0.10.3) of the Code Climate test reporter:
All three are for the Go Crypto library: https://pkg.go.dev/golang.org/x/crypto