search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io
Other
42.78k stars 9.56k forks source link

Bump version of "github.com/golang-jwt/jwt/v4" to v4.4.3 #34292

Open Bjyothi2023 opened 12 months ago

Bjyothi2023 commented 12 months ago

Terraform Version

Terraform version 1.6.3

Terraform Configuration Files

NA

Debug Output

Security vulnerability "PRISMA-2022-0270" reported because of "github.com/golang-jwt/jwt/v4" version v4.4.2. Fixed version available is v4.4.3 Requesting you to update "github.com/golang-jwt/jwt/v4" version from v4.4.2 to v4.4.3

Expected Behavior

Vulnerability scanner should not report PRISMA-2022-0270

Actual Behavior

Vulnerability scanner reporting PRISMA-2022-0270

Steps to Reproduce

By running twistlock security scanner over container installed with Terraform

Additional Context

No response

References

No response

apparentlymart commented 11 months ago

Hi @Bjyothi2023,

According to the upstream issue https://github.com/golang-jwt/jwt/issues/258, this vulnerability report is invalid. The upstream maintainers suggest that the new release does not change anything material about the code and instead they've just clarified the documentation to reflect correct vs. incorrect usage of the library, and so upgrading alone would not be sufficient if there was a problem here.

For our part, we will review our usage of this library to ensure we are not using it in the incorrect way that issue discusses.