search

goss-org / goss

Quick and Easy server testing/validation
https://goss.rocks
Apache License 2.0
5.5k stars 470 forks source link

High severity CVE related with go stdlib version #903

Closed ikheifets-splunk closed 1 month ago

ikheifets-splunk commented 1 month ago

Describe the bug High severity CVE

Screenshot 2024-05-09 at 13 35 42

How To Reproduce https://github.com/aquasecurity/trivy detected this CVE

Expected Behavior using Go version without CVE

Actual Behavior using Go version with CVE

Environment:

ikheifets-splunk commented 1 month ago

Hello, @aelsabbahy ! Thank you for PR. When you planning to release it? It would available on 0.4.7?

aelsabbahy commented 1 month ago

Reopening issue until the release happens. Yes, this will be part of the next goss release.

I should look into automating the trivy checks. :thinking:

aelsabbahy commented 1 month ago

Released 0.4.7 which should fix this. Feel free to re-open ticket if it doesn't resolve this finding.

ikheifets-splunk commented 1 month ago

Many thanks @aelsabbahy ! Will test it :)

ikheifets-splunk commented 1 month ago

Checked, it's passing CVE testing, closing this issue :) thanks @aelsabbahy

aelsabbahy commented 1 month ago

Thanks for reporting. If you don't mind.. can you show me how to reproduce the failing result on the old version? This way I can look into automating this at a future time.

ikheifets-splunk commented 1 month ago

Sure, we using Trivy GitHub action on CI which testing our docker image (our open source project is docker image), results you can see here. After update goss version on 0.4.7 CI became green

we just added few lines of code on our CI

ikheifets-splunk commented 1 month ago

@aelsabbahy I think you can use such command: trivy repo --tag v0.4.6 https://github.com/goss-org/goss

P.S. docs here

aelsabbahy commented 1 month ago

Perfect, yeah that worked, thanks! Will check out the github actions too.

I tried trivy fs goss-binary and got no results earlier, figured I was doing something wrong.

ikheifets-splunk commented 1 month ago

I also will try yet another time restart this step on CI, they updating CVE database every day, existing small chance that they can reclassify CVE.

We had last release 3 days ago probably something changed in their db during this time

aelsabbahy commented 1 month ago

Oh, I just meant it doesn't detect it if you scan the binary directory but does if you scan the repo.

I was confused earlier since I couldn't reproduce your results (due to scanning binary), scanning repo works just fine and I might set up a weekly scan.

Thanks again, this should improve the security posture of Goss!

dklimpel commented 1 month ago

The scan with trivy GitHub action of goss docker file I had also added to:

aelsabbahy commented 1 month ago

Awesome, thanks for all the clarifications, closing.

ikheifets-splunk commented 1 week ago

@aelsabbahy trivy detected new CVE and I published issue