Closed jawnsy closed 1 year ago
@jawnsy Thanks for the report - weird why this wasn't flagged by Dependabot, which generally works fine for Go modules.
I've opened a PR to fix this: #429
Also, for future reference, see the steps here on how to vendor in this repo: https://github.com/pganalyze/collector/blob/main/CONTRIBUTING.md#setup-for-updating-dependencies
Trivy does not report this finding when using
trivy fs .
from the root of the collector repo, though it does report a medium-severity issue related to the AWS Go SDK:
Oh, and on the AWS Go SDK report, that particular CVE would not apply to the collector (the S3 portions of the SDK are not in use).
Thanks for the quick triage/fix, and for the link to the contributing doc!
Sysdig Secure reports the collector as being affected by CVE-2021-3538 due to an old version of
github.com/satori/go.uuid
:Trivy does not report this finding when using
trivy fs .
from the root of the collector repo, though it does report a medium-severity issue related to the AWS Go SDK:I tried to update it, but running the following:
Results in a very large diff (I don't work with Go projects using vendoring, so I don't know if this is expected behavior or not):
I also cannot run tests, presumably because I'm on a Mac or because I'm missing some system dependencies: