sabre1041
commented
3 months ago @victorrodriguez1984 v0.0.28 does not include this vulnerability
Open victorrodriguez1984 opened 5 months ago
sabre1041
commented
3 months ago @victorrodriguez1984 v0.0.28 does not include this vulnerability
victorrodriguez1984
commented
2 months ago Hello again, please could you review if it affects or it is only image cosmetic? @sabre1041
trivy --severity CRITICAL i quay.io/redhat-cop/group-sync-operator:v0.0.28 -q
quay.io/redhat-cop/group-sync-operator:v0.0.28 (redhat 8.9)
Total: 0 (CRITICAL: 0)
manager (gobinary)
Total: 1 (CRITICAL: 1)
┌────────────────────────────────┬───────────────┬──────────┬────────┬─────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼───────────────┼──────────┼────────┼─────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ fixed │ v2.9.5+incompatible │ 2.16.0 │ go-restful: Authorization Bypass Through User-Controlled Key │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1996 │
└────────────────────────────────┴───────────────┴──────────┴────────┴─────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘We have been working on upgrading the delivery pipeline. When that goes into place, the dependencies will be updated
Appreciate the patience and understanding
sabre1041
commented
2 months ago @victorrodriguez1984 just a heads up that I am now working on updating the dependencies that will mitigate the above. You can track it in #316
After Trivy scan we still see this active vuln...it affects component? version 0.0.27
quay.io/redhat-cop/group-sync-operator:v0.0.27
Trivy output