Closed szh closed 2 years ago
Code Climate has analyzed commit c2a0f7ed and detected 1 issue on this pull request.
Here's the issue category breakdown:
Category | Count |
---|---|
Style | 1 |
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 34.3% (0.0% change).
View more on Code Climate.
Desired Outcome
Dependabot has flagged 3 issues in Secretless modules:
CVE-2022-23648: Insecure handling of image volumes in containerd CRI plugin (High severity) CVE-2015-3627: Symlink attack in libcontainer and docker engine (Medium severity) GHSA-qq97-vm5h-rrhg: OCI Manifest Type Confusion It looks like the affected modules are only indirect dependencies or used in test code, but we should upgrade them. Some of the updates seem to cross major version boundaries, so this is likely more than just version bumps.
To fix these, we need to get:
github.com/containerd/containerd to 1.6.1, 1.5.10, or 1.4.13 or later github.com/docker/docker to 1.6.1 or later github.com/docker/distribution to 2.8.0 or later (or if we're using the main branch, to the commit after https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586) This includes any indirect references back to these libraries if possible. (Go.sum should contain no references to vulnerable versions. If that's not possible, we need to document which modules are pulling in old versions so we can watch for updates to them or replace those modules with more up-to-date alternatives.)
Implemented Changes
Connected Issue/Story
Resolves #1420
CyberArk internal issue link: CONJSE-1284
Definition of Done
Changelog
Test coverage
Documentation
README
s) were updated in this PRBehavior
Security