search

jfrog / jfrog-cli

JFrog CLI is a client that provides a simple interface that automates access to the JFrog products.
https://www.jfrog.com/confluence/display/CLI/JFrog+CLI
Apache License 2.0
531 stars 234 forks source link

Current CLI failing Trivy Scans due to cloudf vulnerability #2434

Closed dutchhaag closed 7 months ago

dutchhaag commented 8 months ago

Describe the bug

Hello,

I am attempting to use JFrog CLI within a secure environment. I am installing the latest version via the install shell script into a docker container and my Trivy Scanner is failing due to a vulnerability in the cloudflare circl package. See table below, I will push a PR to fix this issue.

Vulnerable Package CVE Installed Version Fixed Version
github.com/cloudflare/circl GHSA-9763-4f94-gfch v1.3.3 v1.3.7

Current behavior

I can see in the go.mod that the vulnerable package is being used.

Reproduction steps

No response

Expected behavior

No response

JFrog CLI version

2.52.9

Operating system type and version

Linux AMD64

JFrog Artifactory version

No response

JFrog Xray version

No response

dutchhaag commented 8 months ago

Created MR https://github.com/jfrog/jfrog-cli/pull/2437 for this.