Closed viveksahu26 closed 3 weeks ago
On scanning repository, we found lots of vulnerabilities are there. To fix, we need to update the version of dependencies.
$ trivy repository https://github.com/interlynk-io/sbomex 2024-07-22T21:46:00+05:30 INFO Vulnerability scanning is enabled 2024-07-22T21:46:00+05:30 INFO Secret scanning is enabled 2024-07-22T21:46:00+05:30 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-07-22T21:46:00+05:30 INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection Enumerating objects: 162, done. Counting objects: 100% (162/162), done. Compressing objects: 100% (116/116), done. Total 162 (delta 73), reused 89 (delta 23), pack-reused 0 2024-07-22T21:46:02+05:30 INFO Number of language-specific files num=1 2024-07-22T21:46:02+05:30 INFO [gomod] Detecting vulnerabilities... go.mod (gomod) Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0) ┌─────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/cloudflare/circl │ GHSA-9763-4f94-gfch │ HIGH │ fixed │ 1.1.0 │ 1.3.7 │ CIRCL's Kyber: timing side-channel (kyberslash2) │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-9763-4f94-gfch │ │ ├─────────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-1732 │ MEDIUM │ │ │ 1.3.3 │ Improper random reading in CIRCL │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-1732 │ ├─────────────────────────────┼─────────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ golang.org/x/crypto │ CVE-2023-48795 │ │ │ 0.7.0 │ 0.17.0 │ ssh: Prefix truncation attack on Binary Packet Protocol │ │ │ │ │ │ │ │ (BPP) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48795 │ ├─────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┤ ├──────────────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2023-39325 │ HIGH │ │ 0.9.0 │ │ golang: net/http, x/net/http2: rapid stream resets can cause │ │ │ │ │ │ │ │ excessive work (CVE-2023-44487) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │ │ ├─────────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-3978 │ MEDIUM │ │ │ 0.13.0 │ golang.org/x/net/html: Cross site scripting │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3978 │ │ ├─────────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-44487 │ │ │ │ 0.17.0 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │ │ │ │ │ │ │ │ to a DDoS attack... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │ │ ├─────────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45288 │ │ │ │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │ │ │ │ │ │ │ │ CONTINUATION frames causes DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │ ├─────────────────────────────┼─────────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ google.golang.org/protobuf │ CVE-2024-24786 │ │ │ 1.28.0 │ 1.33.0 │ golang-protobuf: encoding/protojson, internal/encoding/json: │ │ │ │ │ │ │ │ infinite loop in protojson.Unmarshal when unmarshaling │ │ │ │ │ │ │ │ certain forms of... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24786 │ └─────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────
On scanning repository, we found lots of vulnerabilities are there. To fix, we need to update the version of dependencies.