Update golang.org/x/text to fix CVE-2022-32149

[LionelJouin]

golang.org/x/text must be updated to fix CVE-2022-32149

Scan from Trivy: Library: golang.org/x/text Vulnerability: CVE-2022-32149 Severity: MEDIUM Installed version: v0.3.7 Fixed Version: v0.3.8 Title: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

[ahmetb]

I'm sick and tired of vulnerabilities in golang.org/x/text. That seems to be the only reason we keep releasing updates, even though none of it actually pose a security problem to this project. Do you think there a version that we can pin to and stick there long term?

[LionelJouin]

Thank you for merging the PR and for the new release. I agree with you. When our security scanners are reporting a new vulnerability it prevents us from creating a new release of our project, even if it is probably not exploitable. We are planning to move to the gRPC probe as described in the readme, but for now, we still have to support 1.21 and 1.22.

[ahmetb]

I recommend not blocking on severity=MEDIUM vulnerabilities. :)

[pjachowi]

Vulnerability mitigation becomes an endless process I'm afraid. For instance FedRamp requires "CSPs must mitigate all discovered high-risk vulnerabilities within 30 days, mitigate moderate vulnerability risks in 90 days, and mitigate low vulnerability risks in 180 days. CSPs must send their Reviewer updated artifacts every 30 days to show evidence that outstanding high-risk vulnerabilities have been mitigated."

sob., 15 paź 2022, 00:30 użytkownik Ahmet Alp Balkan < @.***> napisał:

I recommend not blocking on severity=MEDIUM vulnerabilities. :)

— Reply to this email directly, view it on GitHub https://github.com/grpc-ecosystem/grpc-health-probe/pull/126#issuecomment-1279540773, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADWSR2JSAJGWUAJYRWV2MTWDHNKFANCNFSM6AAAAAARFKF42U . You are receiving this because you are subscribed to this thread.Message ID: @.***>