Closed davexunit closed 2 years ago
davexunit
commented
2 years ago I can see that the issue was fixed with the merging of #497 but what is the timeline for this fix making into, say, the binary download available via https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 ?
camillof
commented
2 years ago It should be available once https://github.com/codeclimate/test-reporter/pull/500 goes in. I would say today/tomorrow.
davexunit
commented
2 years ago Okay, thank you!
camillof
commented
2 years ago Hey @davexunit , version 0.10.4 is out! Sorry for the delay, we had some incidents last week that took our full capacity
gugacavalieri
commented
1 year ago Hi guys. Not sure if the binaries are actually being updated with the latest builds. This CVE is still showing for me.
Steps to reproduce it:
FROM alpine:3.17.2RUN wget --quiet https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 -O /usr/local/bin/cc-test-reporter \ && chmod +x /usr/local/bin/cc-test-reporter
2. Run a Docker scan
```bash
docker build -t cc-reporter-cve-test . && docker scout cves cc-reporter-cve-testIt comes back with the crypto CVEs that were supposably patched:
However, when I built the binary from my machine and copied it over to the Docker image it reported no CVEs. So I wonder if the binaries are being updated on CodeClimate's website.
My company uses AWS Inspector to scan the container images we use in our CI environment and we are seeing a number of vulnerabilities in the latest version (0.10.3) of the Code Climate test reporter:
All three are for the Go Crypto library: https://pkg.go.dev/golang.org/x/crypto