GO version vulnerabilities

[kalpanathanneeru21]

Packer version: 1.11.1 Started seeing couple of vulnerabilities in orca scan with packer recently which are related to go version which is 1.21.

{
[2024-07-23T14:08:11.571Z]       "target": "usr/bin/packer",
[2024-07-23T14:08:11.571Z]       "category": "lang-pkgs",
[2024-07-23T14:08:11.571Z]       "type": "gobinary",
[2024-07-23T14:08:11.571Z]       "vulnerabilities": [
[2024-07-23T14:08:11.571Z]         {
[2024-07-23T14:08:11.571Z]           "vulnerability_id": "CVE-2024-24790",
[2024-07-23T14:08:11.571Z]           "severity": "CRITICAL",
[2024-07-23T14:08:11.571Z]           "pkg_name": "stdlib",
[2024-07-23T14:08:11.571Z]           "pkg_path": "",
[2024-07-23T14:08:11.571Z]           "installed_version": "1.21.10",
[2024-07-23T14:08:11.571Z]           "fixed_version": "1.21.11, 1.22.4",
[2024-07-23T14:08:11.571Z]           "cvss_v2_score": "",
[2024-07-23T14:08:11.571Z]           "cvss_v3_score": "9.8",
[2024-07-23T14:08:11.571Z]           "status_summary": {
[2024-07-23T14:08:11.571Z]             "priority": "HIGH",
[2024-07-23T14:08:11.571Z]             "status": "FAILED"
[2024-07-23T14:08:11.571Z]           }
[2024-07-23T14:08:11.571Z]         },
[2024-07-23T14:08:11.571Z]         {
[2024-07-23T14:08:11.571Z]           "vulnerability_id": "CVE-2024-24791",
[2024-07-23T14:08:11.571Z]           "severity": "HIGH",
[2024-07-23T14:08:11.571Z]           "pkg_name": "stdlib",
[2024-07-23T14:08:11.571Z]           "pkg_path": "",
[2024-07-23T14:08:11.571Z]           "installed_version": "1.21.10",
[2024-07-23T14:08:11.571Z]           "fixed_version": "1.21.12, 1.22.5",
[2024-07-23T14:08:11.571Z]           "cvss_v2_score": "",
[2024-07-23T14:08:11.571Z]           "cvss_v3_score": "7.5",
[2024-07-23T14:08:11.571Z]           "status_summary": {
[2024-07-23T14:08:11.571Z]             "priority": "HIGH",
[2024-07-23T14:08:11.571Z]             "status": "FAILED"
[2024-07-23T14:08:11.571Z]           }
[2024-07-23T14:08:11.571Z]         },
[2024-07-23T14:08:11.571Z]         {
[2024-07-23T14:08:11.571Z]           "vulnerability_id": "CVE-2024-24789",
[2024-07-23T14:08:11.571Z]           "severity": "MEDIUM",
[2024-07-23T14:08:11.571Z]           "pkg_name": "stdlib",
[2024-07-23T14:08:11.571Z]           "pkg_path": "",
[2024-07-23T14:08:11.571Z]           "installed_version": "1.21.10",
[2024-07-23T14:08:11.571Z]           "fixed_version": "1.21.11, 1.22.4",
[2024-07-23T14:08:11.571Z]           "cvss_v2_score": "",
[2024-07-23T14:08:11.571Z]           "cvss_v3_score": "5.5",
[2024-07-23T14:08:11.571Z]           "status_summary": {
[2024-07-23T14:08:11.571Z]             "priority": "INFO",
[2024-07-23T14:08:11.571Z]             "status": "WARNING"
[2024-07-23T14:08:11.571Z]           }
[2024-07-23T14:08:11.571Z]         }
[2024-07-23T14:08:11.571Z]       ],

is there any possibility of upgrading go version soon to 1.22.4 or 1.22.5.

[nywilken]

As mentioned in the change request, we do not bump the Go mod version unless there is a specific reason. However, we bumped the version of Go used for building and releasing, which addresses the issues mentioned in this issue. Packer's tooling is using Go 1.21.12. When Go 1.23.0 is released later this month, we will make the necessary changes to our tooling to support Go 1.22.5+.

If ever you find an issue and wish to open a change request against Packer's tooling you can do so by modifying the .go-version file at the project's root directory.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.