NOTE: using latest fixes the intended CVE but there is still a high severity CVE found: CVE-2022-41721. It should be fixed with this PR in the next yq release which I assume will appear in the next week or so. In the meantime we could add a .trivyignore entry to get passing builds. (cc @andytinkham)
Alternatively I've updated the dockerfile to build yq from source which has the CVE fix already (requires using golang:alpine image for helm test image)
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be
merged.
Changelog
[ ] The CHANGELOG has been updated, or
[x] This PR does not include user-facing changes and doesn't require a
CHANGELOG update
Test coverage
[ ] This PR includes new unit and integration tests to go with the code
changes, or
[x] The changes in this PR do not require tests
Documentation
[ ] Docs (e.g. READMEs) were updated in this PR
[ ] A follow-up issue to update official docs has been filed here: [insert issue ID]
[x] This PR does not require updating any documentation
Behavior
[ ] This PR changes product behavior and has been reviewed by a PO, or
[ ] These changes are part of a larger initiative that will be reviewed later, or
[x] No behavior was changed with this PR
Security
[ ] Security architect has reviewed the changes in this PR,
[ ] These changes are part of a larger initiative with a separate security review, or
[x] There are no security aspects to these changes
Desired Outcome
Address failing builds due to high severity CVE-2022-28948 loading in from yq
Implemented Changes
NOTE: using latest fixes the intended CVE but there is still a high severity CVE found: CVE-2022-41721. It should be fixed with this PR in the next yq release which I assume will appear in the next week or so. In the meantime we could add a .trivyignore entry to get passing builds. (cc @andytinkham)
Alternatively I've updated the dockerfile to build yq from source which has the CVE fix already (requires using golang:alpine image for helm test image)
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be merged.
Changelog
Test coverage
Documentation
README
s) were updated in this PRBehavior
Security