Closed ikheifets-splunk closed 1 month ago
Hello, @aelsabbahy ! Thank you for PR. When you planning to release it? It would available on 0.4.7?
Reopening issue until the release happens. Yes, this will be part of the next goss release.
I should look into automating the trivy checks. :thinking:
Released 0.4.7
which should fix this. Feel free to re-open ticket if it doesn't resolve this finding.
Many thanks @aelsabbahy ! Will test it :)
Checked, it's passing CVE testing, closing this issue :) thanks @aelsabbahy
Thanks for reporting. If you don't mind.. can you show me how to reproduce the failing result on the old version? This way I can look into automating this at a future time.
Sure, we using Trivy GitHub action on CI which testing our docker image (our open source project is docker image), results you can see here. After update goss version on 0.4.7 CI became green
@aelsabbahy I think you can use such command: trivy repo --tag v0.4.6 https://github.com/goss-org/goss
P.S. docs here
Perfect, yeah that worked, thanks! Will check out the github actions too.
I tried trivy fs goss-binary
and got no results earlier, figured I was doing something wrong.
I also will try yet another time restart this step on CI, they updating CVE database every day, existing small chance that they can reclassify CVE.
We had last release 3 days ago probably something changed in their db during this time
Oh, I just meant it doesn't detect it if you scan the binary directory but does if you scan the repo.
I was confused earlier since I couldn't reproduce your results (due to scanning binary), scanning repo works just fine and I might set up a weekly scan.
Thanks again, this should improve the security posture of Goss!
The scan with trivy GitHub action of goss docker file I had also added to:
Awesome, thanks for all the clarifications, closing.
@aelsabbahy trivy detected new CVE and I published issue
Describe the bug High severity CVE
How To Reproduce https://github.com/aquasecurity/trivy detected this CVE
Expected Behavior using Go version without CVE
Actual Behavior using Go version with CVE
Environment: