search

interlynk-io / sbomex

Find & pull public SBOMs
https://sbombenchmark.dev/
Other
13 stars 2 forks source link

update dependencies to fix vulnerabilities #49

Closed viveksahu26 closed 3 weeks ago

viveksahu26 commented 2 months ago

On scanning repository, we found lots of vulnerabilities are there. To fix, we need to update the version of dependencies.

$ trivy repository https://github.com/interlynk-io/sbomex 

2024-07-22T21:46:00+05:30   INFO    Vulnerability scanning is enabled
2024-07-22T21:46:00+05:30   INFO    Secret scanning is enabled
2024-07-22T21:46:00+05:30   INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-22T21:46:00+05:30   INFO    Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
Enumerating objects: 162, done.
Counting objects: 100% (162/162), done.
Compressing objects: 100% (116/116), done.
Total 162 (delta 73), reused 89 (delta 23), pack-reused 0
2024-07-22T21:46:02+05:30   INFO    Number of language-specific files   num=1
2024-07-22T21:46:02+05:30   INFO    [gomod] Detecting vulnerabilities...

go.mod (gomod)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)

┌─────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│           Library           │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl │ GHSA-9763-4f94-gfch │ HIGH     │ fixed  │ 1.1.0             │ 1.3.7         │ CIRCL's Kyber: timing side-channel (kyberslash2)             │
│                             │                     │          │        │                   │               │ https://github.com/advisories/GHSA-9763-4f94-gfch            │
│                             ├─────────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                             │ CVE-2023-1732       │ MEDIUM   │        │                   │ 1.3.3         │ Improper random reading in CIRCL                             │
│                             │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-1732                    │
├─────────────────────────────┼─────────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto         │ CVE-2023-48795      │          │        │ 0.7.0             │ 0.17.0        │ ssh: Prefix truncation attack on Binary Packet Protocol      │
│                             │                     │          │        │                   │               │ (BPP)                                                        │
│                             │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-48795                   │
├─────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┤               ├──────────────────────────────────────────────────────────────┤
│ golang.org/x/net            │ CVE-2023-39325      │ HIGH     │        │ 0.9.0             │               │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                             │                     │          │        │                   │               │ excessive work (CVE-2023-44487)                              │
│                             │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                             ├─────────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                             │ CVE-2023-3978       │ MEDIUM   │        │                   │ 0.13.0        │ golang.org/x/net/html: Cross site scripting                  │
│                             │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                             ├─────────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                             │ CVE-2023-44487      │          │        │                   │ 0.17.0        │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                             │                     │          │        │                   │               │ to a DDoS attack...                                          │
│                             │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
│                             ├─────────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                             │ CVE-2023-45288      │          │        │                   │ 0.23.0        │ golang: net/http, x/net/http2: unlimited number of           │
│                             │                     │          │        │                   │               │ CONTINUATION frames causes DoS                               │
│                             │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
├─────────────────────────────┼─────────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf  │ CVE-2024-24786      │          │        │ 1.28.0            │ 1.33.0        │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                             │                     │          │        │                   │               │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                             │                     │          │        │                   │               │ certain forms of...                                          │
│                             │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
└─────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────