Open candrews opened 1 month ago
Acknowledged.
It is our estimate that these are not exploitable either. Upgrading to Go is something we have planned, but I believe we hit some issues so we're still sorting through that.
I ran docker run -it aquasec/trivy:0.51.1 image gcr.io/paketo-buildpacks/bellsoft-liberica
again and confirmed that this issue has been (mostly) resolved.
go 1.22.3 is now being used, which addresses many findings. But, there are still some findings that would be addressed by using go 1.22.4.
$ docker run -it aquasec/trivy:0.51.1 image gcr.io/paketo-buildpacks/bellsoft-liberica:latest
2024-06-17T13:38:41Z INFO Need to update DB
2024-06-17T13:38:41Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
48.11 MiB / 48.11 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.75 MiB p/s 5.7s
2024-06-17T13:38:47Z INFO Vulnerability scanning is enabled
2024-06-17T13:38:47Z INFO Secret scanning is enabled
2024-06-17T13:38:47Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-17T13:38:47Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-06-17T13:38:48Z INFO Number of language-specific files num=2
2024-06-17T13:38:48Z INFO [gobinary] Detecting vulnerabilities...
cnb/buildpacks/paketo-buildpacks_bellsoft-liberica/10.8.0/bin/helper (gobinary)
Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24789 │ UNKNOWN │ fixed │ 1.22.3 │ 1.21.11, 1.22.4 │ The archive/zip package's handling of certain types of │
│ │ │ │ │ │ │ invalid zip fil ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24790 │ │ │ │ │ The various Is methods (IsPrivate, IsLoopback, etc) did not │
│ │ │ │ │ │ │ work as ex... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘
cnb/buildpacks/paketo-buildpacks_bellsoft-liberica/10.8.0/bin/main (gobinary)
Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24789 │ UNKNOWN │ fixed │ 1.22.3 │ 1.21.11, 1.22.4 │ The archive/zip package's handling of certain types of │
│ │ │ │ │ │ │ invalid zip fil ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24790 │ │ │ │ │ The various Is methods (IsPrivate, IsLoopback, etc) did not │
│ │ │ │ │ │ │ work as ex... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘
Expected Behavior
This project currently uses go 1.20 which is EOL and unsupported, see https://go.dev/doc/devel/release It also has security vulnerabilities which scanners such as Trivy report.
Therefore, I believe that this project should upgrade go to 1.21 or better yet 1.22.
Current Behavior
Trivy reports some vulnerabilities, all of which can be addressed by using the latest version of
go
.Possible Solution
I suggest that the version of go be updated to the latest version (currently 1.22.3).
Steps to Reproduce
docker run -it aquasec/trivy:0.51.1 image gcr.io/paketo-buildpacks/bellsoft-liberica
Motivations
I don't think these vulnerabilities are exploitable, but they're still present which isn't great. And their presence causes a lot of trouble for those who use automated security scanning systems as such users must suppress these findings.