migtools / mig-controller

OpenShift Migration Controller
Apache License 2.0
22 stars 42 forks source link

The vulnerability CVE-2021-3948 has been fixed, but no specific tag denotes the patched version. #1347

Open Silence-worker-02 opened 1 year ago

Silence-worker-02 commented 1 year ago

Hello, we are a team researching the dependency management mechanism of Golang. During our analysis, we came across your project and noticed that you have fixed a vulnerability (snyk references, CVE: CVE-2021-3948, CWE: CWE-200, fix commit id: 8ed2a4f5bf28f6c2733b1e713a6cb893c2c17e16). However, we observed that you have not tagged the fixing commit or its subsequent commits. As a result, users are unable to obtain the patch version through Go tool ‘go list’.

We kindly request your assistance in addressing this issue. Tagging the fixing commit or its subsequent commits will greatly benefit users who rely on your project and are seeking the patched version to address the vulnerability.

We greatly appreciate your attention to this matter and collaboration in resolving it. Thank you for your time and for your valuable contributions to our research.