search

hashicorp / terraform-provider-null

Utility provider that provides constructs that intentionally do nothing, useful in various situations to help orchestrate tricky behavior or work around limitations.
https://registry.terraform.io/providers/hashicorp/null/latest
Mozilla Public License 2.0
177 stars 68 forks source link

Bump Go version from 1.19.3 to 1.20.4+ #242

Closed azuterios closed 1 year ago

azuterios commented 1 year ago

Terraform CLI and Provider Versions

Terraform Version

Terraform version 1.5.0 Null provider 3.2.1

Terraform Configuration

Dear HashiCorp Team,
Some vulnerabilities are visible after the latest scan. Please update the GoLang version to 1.20.4+ And then please release a brand new version of the null provider, as the latest version is from November 2022 and some critical fixes have already been introduced in the code but never released.

Expected Behavior

No vulnerabilities present.

Actual Behavior

CVE-2021-44716 : golang.org/x/net/http2 of terraform-provider-null_v3.2.1_x5, should be updated to version 0.0.0-20211209124913-491a49abca63. CVE-2022-41717 : go version needs to be updated from 1.19.3 to 1.19.4 CVE-2022-27664 : golang.org/x/net/http/httpguts needs to be updated to 0.0.0-20220906165146-f3363e06e74c CVE-2022-32149 : golang.org/x/text and golang.org/x/text/language needs to be updated to 0.3.8 CVE-2022-41724| : go version needs to be updated from 1.19.3 to 1.19.4 CVE-2022-41715 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7 CVE-2022-2880 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7 CVE-2022-32190 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7 CVE-2022-2879 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7 CVE-2022-41716 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7 CVE-2023-24538 : go version needs to be updated from 1.18.5 to 1.20.3, 1.19.8 CVE-2023-24534 : go version needs to be updated from 1.18.5 to 1.20.3, 1.19.8

These vulnerabilities are coming for the outdated Golang version.

Steps to Reproduce

Scan with Twistlock scanner.

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Code of Conduct

KevinCiz commented 1 year ago

Additional CVE

CVE-2022-27664: go version need to be updated to > 1.19.1 CVE-2022-41723: upgrade net package >= v0.8.0 to fix or Upgrading Go lang to >1.19.6 would address those issues CVE-2022-41725: go version needs to be updated from 1.18.5 to 1.19.6, 1.20.1 CVE-2023-24536: go version needs to be updated from 1.18.5 to 1.20.3, 1.19.8

Bjyothi2023 commented 1 year ago

Hi Team, Please help with releasing newer version with the current code base , Current available version v3.2.1 is very older release version missing with the new changes. External products which are using this tool are getting affected as their Vulnerability scanners are reporting multiple CVEs and they are not able to move further. Thanks in advance

austinvalle commented 1 year ago

Hi all 👋🏻 ,

We're working through releases on all of the utility providers and just released v3.2.2 of the null provider with updated dependencies built with Go 1.20 (no functional changes).

It may take an hour or so to update in the registry cache. Thanks!

Also a note, for those using Terraform 1.4 and later. You can utilize the terraform_data built-in managed resource instead of the null_resource as it is intended to support all its use cases without the need for an external provider plugin

github-actions[bot] commented 6 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.