Open nimish22 opened 2 years ago
From my reading, seems like the minimum Go version that'd remove these CVEs is v1.18.1 , right @nimish22 ?
@muvaf Thank you for your quick reply and apologies for the confusion!
Twistlock scan has revealed 18 high vulnerabilities. I have updated the complete list above.
The lowest version where these CVEs are resolved is Go 1.18.4 and Go 1.17.12.
What happened?
Security vulnerability scanners like Twistlock and Snyk are reporting security vulnerabilities as terrajet uses <= Go 1.17 to build images. These security vulnerabilities are classified as critical and high severity and are preventing us from using the built images. Some of the CVEs are:
CVE-2021-44716 CVE-2021-41771 CVE-2022-28327 CVE-2022-24675 CVE-2022-24921 CVE-2022-23773 CVE-2022-23772 CVE-2022-23806 CVE-2022-28131 CVE-2022-30580 CVE-2022-30633 CVE-2022-30635 CVE-2022-30629 CVE-2022-30630 CVE-2022-30632 CVE-2022-32189 CVE-2022-30631 CVE-2021-41772
How can we reproduce it?
Point the Snyk to the Git repository to run scurity scan (eg: https://github.com/crossplane-contrib/provider-jet-datadog, https://github.com/crossplane/terrajet). The report points out the security vulnerabilities.
Potential fix?
These CVEs can be resolved by using the Go 1.19.