Open lucasrod16 opened 12 months ago
https://github.com/advisories/GHSA-qppj-fm5r-hxr3 https://github.com/advisories/GHSA-4374-p667-p6c8
go version
$ go version go version go1.21.3 darwin/arm64
Yes
go env
$ go env GO111MODULE='' GOARCH='arm64' GOBIN='/Users/lucas/go/bin' GOCACHE='/Users/lucas/Library/Caches/go-build' GOENV='/Users/lucas/Library/Application Support/go/env' GOEXE='' GOEXPERIMENT='' GOFLAGS='' GOHOSTARCH='arm64' GOHOSTOS='darwin' GOINSECURE='' GOMODCACHE='/Users/lucas/go/pkg/mod' GONOPROXY='' GONOSUMDB='' GOOS='darwin' GOPATH='/Users/lucas/go' GOPRIVATE='' GOPROXY='https://proxy.golang.org,direct' GOROOT='/opt/homebrew/Cellar/go/1.21.3/libexec' GOSUMDB='sum.golang.org' GOTMPDIR='' GOTOOLCHAIN='auto' GOTOOLDIR='/opt/homebrew/Cellar/go/1.21.3/libexec/pkg/tool/darwin_arm64' GOVCS='' GOVERSION='go1.21.3' GCCGO='gccgo' AR='ar' CC='cc' CXX='c++' CGO_ENABLED='1' GOMOD='/Users/lucas/Code/defenseunicorns/zarf-init-aws/credential-helper/go.mod' GOWORK='' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' PKG_CONFIG='pkg-config' GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/yy/c1vw1yp55n1bkj48n5vds7740000gn/T/go-build1393718305=/tmp/go-build -gno-record-gcc-switches -fno-common'
$ zarf tools sbom packages --exclude './iam' . -o json | grype --fail-on low ✔ Indexed . ✔ Cataloged packages [1461 packages] NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY golang.org/x/net v0.15.0 0.17.0 go-module GHSA-qppj-fm5r-hxr3 Medium golang.org/x/net v0.15.0 0.17.0 go-module GHSA-4374-p667-p6c8 Medium 1 error occurred: * discovered vulnerabilities at or above the severity threshold
$ go mod graph | grep golang.org/x/net@v0.15.0 golang.org/x/tools@v0.13.0 golang.org/x/net@v0.15.0
There is a released version of x/tools that uses x/net version v0.17.0
v0.17.0
The current latest version of x/tools (v0.14.0) is on x/net version v0.16.0
v0.16.0
cc @golang/tools-team @golang/release
https://github.com/advisories/GHSA-qppj-fm5r-hxr3 https://github.com/advisories/GHSA-4374-p667-p6c8
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
What did you expect to see?
There is a released version of x/tools that uses x/net version
v0.17.0
What did you see instead?
The current latest version of x/tools (v0.14.0) is on x/net version
v0.16.0