search

project-copacetic / copacetic

🧵 CLI tool for directly patching container images!
https://project-copacetic.github.io/copacetic/
Apache License 2.0
960 stars 63 forks source link

Report the use of components with vulnerabilities in copacetic #610

Closed HouqiyuA closed 5 months ago

HouqiyuA commented 5 months ago

What kind of request is this?

Other

What is your request or suggestion?

Dear Team Members: Greetings! Our team is very interested in your project. we performed source code perspective security analysis (SCA) and vulnerability library association analysis on this project and found that components with vulnerabilities are still being used into this project.We would like to report this issue to you,so that you can fix and improve it accordingly. I add the details in json file below. Please confirm whether this problem really exists and confirm with us. Looking forward to hearing from you and discussing more details with us, thank you very much for your time and attention.

Note: Each "affect_components" field in the report represents the vulnerable component introduced by this project. The other is the vulnerability information associated with it.

Qiyu Hou

copacetic-main_report.json

Are you willing to submit PRs to contribute to this feature request?

sozercan commented 5 months ago

@HouqiyuA this is already addressed in the main branch https://github.com/project-copacetic/copacetic/blob/main/go.mod#L175

this will be addressed in the next version which is scheduled for mid May https://github.com/project-copacetic/copacetic/milestone/5

this is also not a vulnerability that actually affects copa since it doesn't use kubernetes, this is only a transitive dependency. copa does not call that code path. you can verify this by using govulncheck directly