search

deepfence / YaraHunter

🔍🔍 Malware scanner for cloud-native, as part of CI/CD and at Runtime 🔍🔍
https://deepfence.io/
Apache License 2.0
1.23k stars 155 forks source link

Multiple Critical CVE's in Go and other image dependencies #69

Closed acc23 closed 9 months ago

acc23 commented 9 months ago

When uploading the latest YaraHunter image to Google Cloud Artifact Registry, the container scanning feature reports many critical and high value CVEs.

I would like to know if it would be possible to upgrade Go and any other dependencies that contain critical or high scoring CVEs.

Table of fixable high/critical Go CVE's:

Name Effective severity VEX status Package Package type
CVE-2023-29405 Critical Unspecified go Go stdlib View fix
CVE-2023-24540 Critical Unspecified go Go stdlib View fix
CVE-2023-24538 Critical Unspecified go Go stdlib View fix
CVE-2023-29402 Critical Unspecified go Go stdlib View fix
CVE-2023-39320 Critical Unspecified go Go stdlib View fix
CVE-2022-23806 Critical Unspecified go Go stdlib View fix
CVE-2023-29404 Critical Unspecified go Go stdlib View fix
CVE-2021-38297 Critical Unspecified go Go stdlib View fix
CVE-2022-24675 High Unspecified go Go stdlib View fix
CVE-2022-41723 High Unspecified go Go stdlib View fix
CVE-2022-30633 High Unspecified go Go stdlib View fix
CVE-2021-39293 High Unspecified go Go stdlib View fix
CVE-2022-2880 High Unspecified go Go stdlib View fix
CVE-2022-41715 High Unspecified go Go stdlib View fix
CVE-2022-24921 High Unspecified go Go stdlib View fix
CVE-2022-30580 High Unspecified go Go stdlib View fix
CVE-2022-30632 High Unspecified go Go stdlib View fix
CVE-2023-24534 High Unspecified go Go stdlib View fix
CVE-2022-41724 High Unspecified go Go stdlib View fix
CVE-2021-33198 High Unspecified go Go stdlib View fix
CVE-2021-33195 High Unspecified go Go stdlib View fix
CVE-2023-24536 High Unspecified go Go stdlib View fix
CVE-2023-29400 High Unspecified go Go stdlib View fix
CVE-2022-23773 High Unspecified go Go stdlib View fix
CVE-2023-39322 High Unspecified go Go stdlib View fix
CVE-2022-30635 High Unspecified go Go stdlib View fix
CVE-2021-41771 High Unspecified go Go stdlib View fix
CVE-2021-33196 High Unspecified go Go stdlib View fix
CVE-2022-30631 High Unspecified go Go stdlib View fix
CVE-2023-29403 High Unspecified go Go stdlib View fix
CVE-2022-32189 High Unspecified go Go stdlib View fix
CVE-2021-41772 High Unspecified go Go stdlib View fix
CVE-2023-24537 High Unspecified go Go stdlib View fix
CVE-2022-41725 High Unspecified go Go stdlib View fix
CVE-2023-39533 High Unspecified go Go stdlib View fix
CVE-2022-28131 High Unspecified go Go stdlib View fix
CVE-2022-30630 High Unspecified go Go stdlib View fix
CVE-2022-28327 High Unspecified go Go stdlib View fix
CVE-2023-24539 High Unspecified go Go stdlib View fix
CVE-2023-39321 High Unspecified go Go stdlib View fix
CVE-2022-27664 High Unspecified go Go stdlib View fix
CVE-2022-23772 High Unspecified go Go stdlib View fix
CVE-2022-2879 High Unspecified go Go stdlib View fix
CVE-2021-29923 High Unspecified go Go stdlib View fix
CVE-2021-44716 High Unspecified go Go stdlib View fix

Other fixable high severity CVE's: Name Effective severity CVSS Fix available VEX status Package Package type
CVE-2023-30861 High 7.5 Yes Unspecified flask Python View fix
CVE-2023-2253 High 6.5 Yes Unspecified github.com/docker/distribution Go View fix

Please advise on the possibilities of this? Updating it would prevent the need for building a custom image or forking the repo, which would be great to prevent, if possible.

shyam-dev commented 9 months ago

Hello @acc23 - Thank you for bringing this to our notice. We will release out the latest images shortly.