gcp (and snyk) container scan output

[robmonct]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

According with GCP vulnerabilities scan, Atlantis latest versions are affected by 3 critical, 36 high and 5 medium vulnerabilities

Additional Context

Critical: CVE-2022-23806 CVE-2021-38297 CVE-2022-26945 High: CVE-2022-38149 CVE-2022-2879 CVE-2021-3121 CVE-2022-30630 CVE-2022-30631 CVE-2021-33194 CVE-2021-37219 CVE-2021-41771 CVE-2021-36213 CVE-2022-24675 CVE-2022-24921 CVE-2022-23772 CVE-2022-41715 CVE-2022-30323 CVE-2021-41772 CVE-2022-30635 CVE-2022-23773 CVE-2022-32190 CVE-2022-2880 CVE-2022-30322 CVE-2021-33196 CVE-2022-28131 CVE-2022-27664 CVE-2022-30632 CVE-2021-33198 CVE-2022-30633 CVE-2021-32574 CVE-2022-30321 CVE-2021-39293 CVE-2021-33195 CVE-2022-29153 CVE-2022-30580 CVE-2021-29923 CVE-2021-44716 CVE-2022-28327 CVE-2022-32189 Medium: CVE-2021-33197 CVE-2022-32148 CVE-2022-41717 CVE-2022-40716 CVE-2018-1099 CVE-2020-29509 CVE-2022-29810 CVE-2021-34558 CVE-2022-1962 CVE-2021-38698 CVE-2022-29162

[nitrocode]

Hi @robmonct. Thanks for the ticket. We upgraded many golang and docker dependencies recently but haven't done an official release. We used to dependabot to keep up with new versions and have recently switched to renovatebot.

I don't have access to GCP but could you scan the latest dev image?

Related issues

• https://github.com/runatlantis/atlantis/issues/2795
• https://github.com/runatlantis/atlantis/issues/2818

Alpine images https://github.com/orgs/runatlantis/packages/container/atlantis

• dev - updated with every new PR merge
• latest - latest stable version currently v0.21.0
• prerelease - latest prerelease currently v0.22.0-pre.20221226

We recently also added debian support so feel free to scan those.

Please feel free to propose changes to resolve some of these issues.

Could you also go over some of these vulnerabilities? Some may not affect atlantis

For example,

Critical: https://github.com/advisories/GHSA-8c83-vp4v-h7fq - resolved by using latest golang. We use go 1.19 in the latest release. https://github.com/advisories/GHSA-xv38-944c-p763 - resolved by using latest golang. We use go 1.19 in the latest release. https://github.com/advisories/GHSA-x24g-9w7v-vprh - resolved by latest go-getter. We use 2.1.1 in dev image and 1.6.2 in the latest release.

https://github.com/runatlantis/atlantis/blob/de953fe25575ac2acd5709fd0dea26f946e3effc/go.mod#L3

https://github.com/runatlantis/atlantis/blob/de953fe25575ac2acd5709fd0dea26f946e3effc/go.mod#L23

[robmonct]

Hi Thank you for the quick response. I've tried with dev, latest and prerelease and the list is the same. Debian versions have more vulnerabilities. Maybe, some of them may not affect atlantis. I've reported just for your information.

I don't understand why is showing the vulnerability with a newer version of Go. The information for critical one are this:

Thanks in advance.

[nitrocode]

That is quite bizarre. If you pay for support from gcp, I would contact them about it. Once you do, please follow up here so we know what the potential next steps are to improve the project.

[robmonct]

If I'm not wrong, the problem is that you are building the new versions with this base:

ARG ATLANTIS_BASE=ghcr.io/runatlantis/atlantis-base
ARG ATLANTIS_BASE_TAG_DATE=2022.12.12
ARG ATLANTIS_BASE_TAG_TYPE=alpine

# Stage 1: build artifact

FROM golang:1.19.4-alpine AS builder

WORKDIR /app
COPY . /app
RUN --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
    CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -v -o atlantis .

# Stage 2
# The runatlantis/atlantis-base is created by docker-base/Dockerfile
FROM ${ATLANTIS_BASE}:${ATLANTIS_BASE_TAG_DATE}-${ATLANTIS_BASE_TAG_TYPE} AS base

Then you are using as a base the image: ghcr.io/runatlantis/atlantis-base:2022.12.12-alpine which contains most of the vulnerabilities included in the dev and prerelease version. Is that possible?

[nitrocode]

You are correct that the atlantis-base image (alpine, debian) is built first and then the atlantis (alpine, debian) uses the respective base image.

However, the critical vulnerabilities (and other vulnerabilities) that you posted, many of them affect neither the latest code base (see dev image) nor the latest released version (see v0.21.0 image). Many of those vulnerabilities are from older golang versions and I do not quite understand why gcp's container scan is flagging them.

I pointed the references to the code where the latest golang version is used.

Have you

• scanned the atlantis binary itself or its go.mod which is built from the latest golang version?
• reached out to GCP support to verify these issues?
• read through the code to confirm the issues?

[robmonct]

I don't understand neither why scan is showing them then. I didn't scan atlantis binary itself. The scan is in preview, so maybe they don't give support. I will try it just in case. Not yet.

[nitrocode]

I'm going to close this for now to avoid alarming anyone until there is a CVE that's affecting the current release.

Once you have more information, please respond and if there are action items, we can reopen the issue.

[robmonct]

Scanning the current release with Snyk, this is the output just in case is useful:

target ghcr.io/runatlantis/atlantis:dev (2 issues)

```shell docker scan ghcr.io/runatlantis/atlantis:dev Testing ghcr.io/runatlantis/atlantis:dev... ✗ Low severity vulnerability found in curl/libcurl Description: CVE-2022-43551 Info: https://security.snyk.io/vuln/SNYK-ALPINE317-CURL-3179543 Introduced through: curl/libcurl@7.86.0-r1, curl/curl@7.86.0-r1, git/git@2.38.2-r0 From: curl/libcurl@7.86.0-r1 From: curl/curl@7.86.0-r1 > curl/libcurl@7.86.0-r1 From: git/git@2.38.2-r0 > curl/libcurl@7.86.0-r1 and 1 more... Fixed in: 7.87.0-r0 ✗ Low severity vulnerability found in curl/libcurl Description: CVE-2022-43552 Info: https://security.snyk.io/vuln/SNYK-ALPINE317-CURL-3179544 Introduced through: curl/libcurl@7.86.0-r1, curl/curl@7.86.0-r1, git/git@2.38.2-r0 From: curl/libcurl@7.86.0-r1 From: curl/curl@7.86.0-r1 > curl/libcurl@7.86.0-r1 From: git/git@2.38.2-r0 > curl/libcurl@7.86.0-r1 and 1 more... Fixed in: 7.87.0-r0 Organization: robmonct Package manager: apk Project name: docker-image|ghcr.io/runatlantis/atlantis Docker image: ghcr.io/runatlantis/atlantis:dev Platform: linux/arm64 Licenses: enabled Tested 44 dependencies for known issues, found 2 issues. ------------------------------------------------------- ```

target /usr/local/bin/atlantis (0 issues)

``` Testing ghcr.io/runatlantis/atlantis:dev... Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/atlantis Project name: github.com/runatlantis/atlantis Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled ✔ Tested 206 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- ```

target /usr/local/bin/cft/versions/0.37.0/conftest (0 issues)

``` Testing ghcr.io/runatlantis/atlantis:dev... Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/cft/versions/0.37.0/conftest Project name: go-distribution@command-line-arguments Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled ✔ Tested 530 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- ```

target /usr/local/bin/tf/versions/1.0.11/terraform (14 issues)

``` Testing ghcr.io/runatlantis/atlantis:dev... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.6 From: golang.org/x/text/language@v0.3.6 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/text/internal/language Description: Out-of-bounds Read Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTINTERNALLANGUAGE-2400718 Introduced through: golang.org/x/text/internal/language@v0.3.6 From: golang.org/x/text/internal/language@v0.3.6 Fixed in: 0.3.7 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e Fixed in: 0.4.0 ✗ Medium severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b ✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031 Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.2 From: github.com/hashicorp/go-getter/helper/url@v1.5.2 Fixed in: 1.5.11 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688 Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e Fixed in: 0.0.0-20211209124913-491a49abca63 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 ✗ High severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 Fixed in: 0.0.0-20211202192323-5770296d904e ✗ High severity vulnerability found in github.com/satori/go.uuid Description: Insecure Randomness Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 Introduced through: github.com/satori/go.uuid@v1.2.0 From: github.com/satori/go.uuid@v1.2.0 ✗ High severity vulnerability found in github.com/hashicorp/go-slug Description: Arbitrary File Write via Archive Extraction (Zip Slip) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOSLUG-1048304 Introduced through: github.com/hashicorp/go-slug@v0.4.1 From: github.com/hashicorp/go-slug@v0.4.1 Fixed in: 0.5.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Command Injection Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.0.11/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled Tested 576 dependencies for known issues, found 14 issues. ------------------------------------------------------- ```

target /usr/local/bin/tf/versions/1.1.9/terraform (12 issues)

``` Testing ghcr.io/runatlantis/atlantis:dev... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f Fixed in: 0.4.0 ✗ Medium severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b ✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031 Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.9 From: github.com/hashicorp/go-getter/helper/url@v1.5.9 Fixed in: 1.5.11 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.0 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.1 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 ✗ High severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa Fixed in: 0.0.0-20211202192323-5770296d904e ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Command Injection Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.1.9/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled Tested 623 dependencies for known issues, found 12 issues. ------------------------------------------------------- ```

target /usr/local/bin/tf/versions/1.2.9/terraform (5 issues)

``` Testing ghcr.io/runatlantis/atlantis:dev... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b Fixed in: 0.4.0 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.0 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.1 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.2.9/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled Tested 628 dependencies for known issues, found 5 issues. ------------------------------------------------------- ```

target /usr/local/bin/tf/versions/1.3.6/terraform (2 issues)

``` Testing ghcr.io/runatlantis/atlantis:dev... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc From: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc Fixed in: 0.4.0 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.3.6/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled Tested 590 dependencies for known issues, found 2 issues. ------------------------------------------------------- ```

target github.com/tianon/gosu (0 issues)

``` Testing ghcr.io/runatlantis/atlantis:dev... Organization: robmonct Package manager: gomodules Target file: /bin/gosu Project name: github.com/tianon/gosu Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled ✔ Tested 3 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- ```

target /usr/bin/git-lfs (0 issues)

``` Testing ghcr.io/runatlantis/atlantis:dev... Organization: robmonct Package manager: gomodules Target file: /usr/bin/git-lfs Project name: github.com/git-lfs/git-lfs/v3 Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled ✔ Tested ghcr.io/runatlantis/atlantis:dev for known issues, no vulnerable paths found. Tested 9 projects, 5 contained vulnerable paths. ```

[nitrocode]

Thank you @robmonct. The snyk scan looks a lot more actionable. The curl and git-lfs versions are about to be bumped in a contributed PR #2889.

Please feel free to propose changes to resolve any of the other issues raised here.

[nitrocode]

Some of these vulnerabilities are a bit odd again or seem to be "stale". It's possible that your local dev image may be an older version?

https://github.com/runatlantis/atlantis/blob/e0f92e7e941fa18602927bfb84f1f1b6e4691111/go.mod#L47

These seems to be flagged appropriately. I did not do a full search. I only spot checked.

https://github.com/runatlantis/atlantis/blob/e0f92e7e941fa18602927bfb84f1f1b6e4691111/go.mod#L123

https://github.com/runatlantis/atlantis/blob/e0f92e7e941fa18602927bfb84f1f1b6e4691111/go.mod#L122

https://github.com/runatlantis/atlantis/blob/e0f92e7e941fa18602927bfb84f1f1b6e4691111/go.mod#L48

The YAML dependency is an open issue at the moment since it's difficult to get 1:1 results, at the moment, with the v2.

[robmonct]

My dev image is yesterday dev image. I think the problem is related with this: https://stackoverflow.com/questions/69825533/why-does-go-sum-include-so-many-older-packages go.sum contains older versions even if they aren't being used and GCP and Snyk take them as a vulnerabilities. Is that possible? I'm trying to find how it's possible to remove those older versions from go.sum file.

[nitrocode]

@robmonct I'm unsure if that's the case. Some of the snyk issues you mentioned are actual issues which were just addressed today.

The dependencies you're referring to may be the // indirect dependencies which come from other dependencies.

Please download a fresh dev / dev-alpine image and scan.

The dev-debian image is new and currently unused. It has more vulnerabilities most likely due to the fact that the debian package repositories are slower to upgrade.

I wrote up a small issue here to help address more of these docker image dependency issues going forward https://github.com/runatlantis/atlantis/issues/2890. Please feel free to comment there on the process if you have suggestions.

[nitrocode]

Also the issues regarding older versions of terraform that snyk is flagging. We recently culled the 0.x versions from the container and the older 1.0.x, 1.1.x, 1.2.x, may be next to remove since terraform will auto download versions based on the hcl required_version block.

Now that we know that security is flagging those, it may give more credence to the argument of only supporting the latest tf version.

[nitrocode]

I updated your comment here with summaries https://github.com/runatlantis/atlantis/issues/2883#issuecomment-1367241025

These ones out of scope

• /usr/local/bin/tf/versions/*/terraform

These ones in scope

• ghcr.io/runatlantis/atlantis:dev-alpine
• ghcr.io/runatlantis/atlantis:dev-debian
• github.com/tianon/gosu
• /usr/bin/git-lfs

The only remaining issues are in the debian image which currently is set to only installing packages from its stable repository. This limits it to older versions even if they are technically vulnerable such as curl. We could install from unstable but that may cause other issues.

For now, we are discussing using >= pins in the Dockerfile.debian image to keep more up to date. See PR https://github.com/runatlantis/atlantis/pull/2896. This will not resolve the current debian curl issues (for example) but will allow us to upgrade sooner when those packages are available from the stable repository.

cc: @jamengual

[robmonct]

Thanks for your work @nitrocode I've downloaded the new dev version and this is the scan output:

scan results

``` DOCKER_HOST=unix:///Users/$(whoami)/Library/Containers/com.docker.docker/Data/docker.raw.sock docker scan ghcr.io/runatlantis/atlantis:dev Testing ghcr.io/runatlantis/atlantis:dev... Organization: robmonct Package manager: apk Project name: docker-image|ghcr.io/runatlantis/atlantis Docker image: ghcr.io/runatlantis/atlantis:dev Platform: linux/arm64 Licenses: enabled ✔ Tested 44 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev... Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/atlantis Project name: github.com/runatlantis/atlantis Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled ✔ Tested 206 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev... Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/cft/versions/0.37.0/conftest Project name: go-distribution@command-line-arguments Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled ✔ Tested 530 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.6 From: golang.org/x/text/language@v0.3.6 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/text/internal/language Description: Out-of-bounds Read Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTINTERNALLANGUAGE-2400718 Introduced through: golang.org/x/text/internal/language@v0.3.6 From: golang.org/x/text/internal/language@v0.3.6 Fixed in: 0.3.7 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e Fixed in: 0.4.0 ✗ Medium severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b ✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031 Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.2 From: github.com/hashicorp/go-getter/helper/url@v1.5.2 Fixed in: 1.5.11 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688 Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e Fixed in: 0.0.0-20211209124913-491a49abca63 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 ✗ High severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 Fixed in: 0.0.0-20211202192323-5770296d904e ✗ High severity vulnerability found in github.com/satori/go.uuid Description: Insecure Randomness Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 Introduced through: github.com/satori/go.uuid@v1.2.0 From: github.com/satori/go.uuid@v1.2.0 ✗ High severity vulnerability found in github.com/hashicorp/go-slug Description: Arbitrary File Write via Archive Extraction (Zip Slip) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOSLUG-1048304 Introduced through: github.com/hashicorp/go-slug@v0.4.1 From: github.com/hashicorp/go-slug@v0.4.1 Fixed in: 0.5.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Command Injection Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.0.11/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled Tested 576 dependencies for known issues, found 14 issues. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f Fixed in: 0.4.0 ✗ Medium severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b ✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031 Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.9 From: github.com/hashicorp/go-getter/helper/url@v1.5.9 Fixed in: 1.5.11 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.0 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.1 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 ✗ High severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa Fixed in: 0.0.0-20211202192323-5770296d904e ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Command Injection Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.1.9/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled Tested 623 dependencies for known issues, found 12 issues. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b Fixed in: 0.4.0 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.0 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.1 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.2.9/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled Tested 628 dependencies for known issues, found 5 issues. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc From: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc Fixed in: 0.4.0 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.3.6/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled Tested 590 dependencies for known issues, found 2 issues. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev... Organization: robmonct Package manager: gomodules Target file: /bin/gosu Project name: github.com/tianon/gosu Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled ✔ Tested 3 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 Fixed in: 0.4.0 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688 Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 Fixed in: 0.0.0-20211209124913-491a49abca63 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 Organization: robmonct Package manager: gomodules Target file: /usr/bin/git-lfs Project name: go-distribution@command-line-arguments Docker image: ghcr.io/runatlantis/atlantis:dev Licenses: enabled Tested 62 dependencies for known issues, found 4 issues. Tested 9 projects, 5 contained vulnerable paths. ``` This is the output scan for dev-debian ``` DOCKER_HOST=unix:///Users/$(whoami)/Library/Containers/com.docker.docker/Data/docker.raw.sock docker scan ghcr.io/runatlantis/atlantis:dev-debian Testing ghcr.io/runatlantis/atlantis:dev-debian... ✗ Low severity vulnerability found in util-linux/libblkid1 Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-UTILLINUX-2401081 Introduced through: util-linux/libblkid1@2.36.1-8+deb11u1, e2fsprogs@1.46.2-2, util-linux/libmount1@2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1, util-linux/libuuid1@2.36.1-8+deb11u1, util-linux@2.36.1-8+deb11u1, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/libsmartcols1@2.36.1-8+deb11u1 From: util-linux/libblkid1@2.36.1-8+deb11u1 From: e2fsprogs@1.46.2-2 > util-linux/libblkid1@2.36.1-8+deb11u1 From: util-linux/libmount1@2.36.1-8+deb11u1 > util-linux/libblkid1@2.36.1-8+deb11u1 and 15 more... ✗ Low severity vulnerability found in unzip Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-UNZIP-2387325 Introduced through: unzip@6.0-26+deb11u1 From: unzip@6.0-26+deb11u1 ✗ Low severity vulnerability found in tar Description: CVE-2005-2541 Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-TAR-523480 Introduced through: meta-common-packages@meta From: meta-common-packages@meta > tar@1.34+dfsg-1 ✗ Low severity vulnerability found in systemd/libsystemd0 Description: Authentication Bypass Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-1291054 Introduced through: apt@2.2.4, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1 From: apt@2.2.4 > systemd/libsystemd0@247.3-7+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1 From: util-linux/bsdutils@1:2.36.1-8+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1 and 6 more... ✗ Low severity vulnerability found in systemd/libsystemd0 Description: Off-by-one Error Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-3111119 Introduced through: apt@2.2.4, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1 From: apt@2.2.4 > systemd/libsystemd0@247.3-7+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1 From: util-linux/bsdutils@1:2.36.1-8+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1 and 6 more... ✗ Low severity vulnerability found in systemd/libsystemd0 Description: CVE-2022-4415 Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-3177742 Introduced through: apt@2.2.4, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1 From: apt@2.2.4 > systemd/libsystemd0@247.3-7+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1 From: util-linux/bsdutils@1:2.36.1-8+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1 and 6 more... ✗ Low severity vulnerability found in systemd/libsystemd0 Description: Link Following Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-524969 Introduced through: apt@2.2.4, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1 From: apt@2.2.4 > systemd/libsystemd0@247.3-7+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1 From: util-linux/bsdutils@1:2.36.1-8+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1 and 6 more... ✗ Low severity vulnerability found in sqlite3/libsqlite3-0 Description: CVE-2021-36690 Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SQLITE3-1569419 Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/gpg@2.2.27-2+deb11u2 > sqlite3/libsqlite3-0@3.34.1-3 ✗ Low severity vulnerability found in sqlite3/libsqlite3-0 Description: Memory Leak Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SQLITE3-2407045 Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/gpg@2.2.27-2+deb11u2 > sqlite3/libsqlite3-0@3.34.1-3 ✗ Low severity vulnerability found in sqlite3/libsqlite3-0 Description: Improper Validation of Array Index Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SQLITE3-2959400 Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/gpg@2.2.27-2+deb11u2 > sqlite3/libsqlite3-0@3.34.1-3 ✗ Low severity vulnerability found in shadow/passwd Description: Access Restriction Bypass Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SHADOW-526940 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, gnupg2/gnupg@2.2.27-2+deb11u2, shadow/login@1:4.8.1-1, util-linux/mount@2.36.1-8+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 > shadow/passwd@1:4.8.1-1 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 From: shadow/login@1:4.8.1-1 and 1 more... ✗ Low severity vulnerability found in shadow/passwd Description: Time-of-check Time-of-use (TOCTOU) Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SHADOW-528840 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, gnupg2/gnupg@2.2.27-2+deb11u2, shadow/login@1:4.8.1-1, util-linux/mount@2.36.1-8+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 > shadow/passwd@1:4.8.1-1 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 From: shadow/login@1:4.8.1-1 and 1 more... ✗ Low severity vulnerability found in shadow/passwd Description: Incorrect Permission Assignment for Critical Resource Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SHADOW-539870 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, gnupg2/gnupg@2.2.27-2+deb11u2, shadow/login@1:4.8.1-1, util-linux/mount@2.36.1-8+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 > shadow/passwd@1:4.8.1-1 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 From: shadow/login@1:4.8.1-1 and 1 more... ✗ Low severity vulnerability found in perl/perl-modules-5.32 Description: Improper Verification of Cryptographic Signature Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PERL-1925976 Introduced through: git@1:2.30.2-1, meta-common-packages@meta From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/perl-modules-5.32@5.32.1-4+deb11u2 From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2 > perl/perl-modules-5.32@5.32.1-4+deb11u2 From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2 and 2 more... ✗ Low severity vulnerability found in perl/perl-modules-5.32 Description: Link Following Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PERL-532614 Introduced through: git@1:2.30.2-1, meta-common-packages@meta From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/perl-modules-5.32@5.32.1-4+deb11u2 From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2 > perl/perl-modules-5.32@5.32.1-4+deb11u2 From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2 and 2 more... ✗ Low severity vulnerability found in pcre3/libpcre3 Description: Out-of-Bounds Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PCRE3-523392 Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1 From: pcre3/libpcre3@2:8.39-13 From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13 ✗ Low severity vulnerability found in pcre3/libpcre3 Description: Out-of-Bounds Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PCRE3-525075 Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1 From: pcre3/libpcre3@2:8.39-13 From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13 ✗ Low severity vulnerability found in pcre3/libpcre3 Description: Uncontrolled Recursion Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529298 Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1 From: pcre3/libpcre3@2:8.39-13 From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13 ✗ Low severity vulnerability found in pcre3/libpcre3 Description: Out-of-Bounds Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529490 Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1 From: pcre3/libpcre3@2:8.39-13 From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13 ✗ Low severity vulnerability found in pcre3/libpcre3 Description: Out-of-bounds Read Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PCRE3-572353 Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1 From: pcre3/libpcre3@2:8.39-13 From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13 ✗ Low severity vulnerability found in openssl/libssl1.1 Description: Inadequate Encryption Strength Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-2941242 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, ca-certificates@20210119, curl@7.74.0-1.3+deb11u3, openssl@1.1.1n-0+deb11u3 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssl/libssl1.1@1.1.1n-0+deb11u3 From: ca-certificates@20210119 > openssl@1.1.1n-0+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3 and 6 more... ✗ Low severity vulnerability found in openssl/libssl1.1 Description: Use of a Broken or Risky Cryptographic Algorithm Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-518334 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, ca-certificates@20210119, curl@7.74.0-1.3+deb11u3, openssl@1.1.1n-0+deb11u3 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssl/libssl1.1@1.1.1n-0+deb11u3 From: ca-certificates@20210119 > openssl@1.1.1n-0+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3 and 6 more... ✗ Low severity vulnerability found in openssl/libssl1.1 Description: Cryptographic Issues Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-525332 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, ca-certificates@20210119, curl@7.74.0-1.3+deb11u3, openssl@1.1.1n-0+deb11u3 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssl/libssl1.1@1.1.1n-0+deb11u3 From: ca-certificates@20210119 > openssl@1.1.1n-0+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3 and 6 more... ✗ Low severity vulnerability found in openssh/openssh-client Description: CVE-2016-20012 Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-1585650 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 and 1 more... ✗ Low severity vulnerability found in openssh/openssh-client Description: CVE-2021-41617 Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-1660415 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 and 1 more... ✗ Low severity vulnerability found in openssh/openssh-client Description: Improper Authentication Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-2422621 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 and 1 more... ✗ Low severity vulnerability found in openssh/openssh-client Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-517822 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 and 1 more... ✗ Low severity vulnerability found in openssh/openssh-client Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-520976 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 and 1 more... ✗ Low severity vulnerability found in openssh/openssh-client Description: Improper Authentication Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-529002 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 and 1 more... ✗ Low severity vulnerability found in openssh/openssh-client Description: Access Restriction Bypass Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-529482 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 and 1 more... ✗ Low severity vulnerability found in openssh/openssh-client Description: Inappropriate Encoding for Output Context Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-530703 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 and 1 more... ✗ Low severity vulnerability found in openssh/openssh-client Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-574760 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 and 1 more... ✗ Low severity vulnerability found in openssh/openssh-client Description: OS Command Injection Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-590139 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 and 1 more... ✗ Low severity vulnerability found in openldap/libldap-2.4-2 Description: Improper Initialization Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-521320 Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 ✗ Low severity vulnerability found in openldap/libldap-2.4-2 Description: Out-of-Bounds Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-531344 Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 ✗ Low severity vulnerability found in openldap/libldap-2.4-2 Description: Cryptographic Issues Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-531747 Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 ✗ Low severity vulnerability found in openldap/libldap-2.4-2 Description: Improper Certificate Validation Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-584937 Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 ✗ Low severity vulnerability found in ncurses/libtinfo6 Description: Out-of-bounds Write Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-NCURSES-1655741 Introduced through: bash@5.1-2+deb11u1, ncurses/ncurses-bin@6.2+20201114-2, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/mount@2.36.1-8+deb11u1, gnupg2/gnupg@2.2.27-2+deb11u2, ncurses/ncurses-base@6.2+20201114-2 From: bash@5.1-2+deb11u1 > ncurses/libtinfo6@6.2+20201114-2 From: ncurses/ncurses-bin@6.2+20201114-2 > ncurses/libtinfo6@6.2+20201114-2 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > procps@2:3.3.17-5 > ncurses/libtinfo6@6.2+20201114-2 and 11 more... ✗ Low severity vulnerability found in ncurses/libtinfo6 Description: Out-of-bounds Read Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-NCURSES-2767191 Introduced through: bash@5.1-2+deb11u1, ncurses/ncurses-bin@6.2+20201114-2, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/mount@2.36.1-8+deb11u1, gnupg2/gnupg@2.2.27-2+deb11u2, ncurses/ncurses-base@6.2+20201114-2 From: bash@5.1-2+deb11u1 > ncurses/libtinfo6@6.2+20201114-2 From: ncurses/ncurses-bin@6.2+20201114-2 > ncurses/libtinfo6@6.2+20201114-2 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > procps@2:3.3.17-5 > ncurses/libtinfo6@6.2+20201114-2 and 11 more... ✗ Low severity vulnerability found in libsepol/libsepol1 Description: Use After Free Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315627 Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1 ✗ Low severity vulnerability found in libsepol/libsepol1 Description: Out-of-bounds Read Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315629 Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1 ✗ Low severity vulnerability found in libsepol/libsepol1 Description: Use After Free Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315635 Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1 ✗ Low severity vulnerability found in libsepol/libsepol1 Description: Use After Free Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315641 Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1 ✗ Low severity vulnerability found in libgcrypt20 Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBGCRYPT20-1297892 Introduced through: apt@2.2.4, gnupg2/gnupg@2.2.27-2+deb11u2, curl@7.74.0-1.3+deb11u3, openssh/openssh-server@1:8.4p1-5+deb11u1 From: apt@2.2.4 > apt/libapt-pkg6.0@2.2.4 > libgcrypt20@1.8.7-6 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/gpgv@2.2.27-2+deb11u2 > libgcrypt20@1.8.7-6 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > libgcrypt20@1.8.7-6 and 9 more... ✗ Low severity vulnerability found in libgcrypt20 Description: Use of a Broken or Risky Cryptographic Algorithm Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBGCRYPT20-523947 Introduced through: apt@2.2.4, gnupg2/gnupg@2.2.27-2+deb11u2, curl@7.74.0-1.3+deb11u3, openssh/openssh-server@1:8.4p1-5+deb11u1 From: apt@2.2.4 > apt/libapt-pkg6.0@2.2.4 > libgcrypt20@1.8.7-6 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/gpgv@2.2.27-2+deb11u2 > libgcrypt20@1.8.7-6 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > libgcrypt20@1.8.7-6 and 9 more... ✗ Low severity vulnerability found in krb5/libkrb5-3 Description: CVE-2004-0971 Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-KRB5-519904 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2, meta-common-packages@meta From: openssh/openssh-server@1:8.4p1-5+deb11u1 > krb5/libkrb5-3@1.18.3-6+deb11u3 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > krb5/libgssapi-krb5-2@1.18.3-6+deb11u3 > krb5/libkrb5-3@1.18.3-6+deb11u3 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > krb5/libgssapi-krb5-2@1.18.3-6+deb11u3 and 6 more... ✗ Low severity vulnerability found in krb5/libkrb5-3 Description: Integer Overflow or Wraparound Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-KRB5-524883 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2, meta-common-packages@meta From: openssh/openssh-server@1:8.4p1-5+deb11u1 > krb5/libkrb5-3@1.18.3-6+deb11u3 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > krb5/libgssapi-krb5-2@1.18.3-6+deb11u3 > krb5/libkrb5-3@1.18.3-6+deb11u3 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > krb5/libgssapi-krb5-2@1.18.3-6+deb11u3 and 6 more... ✗ Low severity vulnerability found in gnutls28/libgnutls30 Description: Inadequate Encryption Strength Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GNUTLS28-515971 Introduced through: apt@2.2.4, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2, curl@7.74.0-1.3+deb11u3 From: apt@2.2.4 > gnutls28/libgnutls30@3.7.1-5+deb11u2 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 > gnutls28/libgnutls30@3.7.1-5+deb11u2 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > gnutls28/libgnutls30@3.7.1-5+deb11u2 and 2 more... ✗ Low severity vulnerability found in glibc/libc-bin Description: Out-of-Bounds Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-521063 Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta From: glibc/libc-bin@2.31-13+deb11u5 From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5 ✗ Low severity vulnerability found in glibc/libc-bin Description: Uncontrolled Recursion Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-521199 Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta From: glibc/libc-bin@2.31-13+deb11u5 From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5 ✗ Low severity vulnerability found in glibc/libc-bin Description: Use of Insufficiently Random Values Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-522385 Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta From: glibc/libc-bin@2.31-13+deb11u5 From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5 ✗ Low severity vulnerability found in glibc/libc-bin Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-529848 Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta From: glibc/libc-bin@2.31-13+deb11u5 From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5 ✗ Low severity vulnerability found in glibc/libc-bin Description: CVE-2019-1010023 Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-531451 Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta From: glibc/libc-bin@2.31-13+deb11u5 From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5 ✗ Low severity vulnerability found in glibc/libc-bin Description: Uncontrolled Recursion Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-531492 Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta From: glibc/libc-bin@2.31-13+deb11u5 From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5 ✗ Low severity vulnerability found in glibc/libc-bin Description: Resource Management Errors Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-532215 Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta From: glibc/libc-bin@2.31-13+deb11u5 From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5 ✗ Low severity vulnerability found in git/git-man Description: Exposure of Resource to Wrong Sphere Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-2399903 Introduced through: git@1:2.30.2-1 From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1 From: git@1:2.30.2-1 ✗ Low severity vulnerability found in git/git-man Description: Uncontrolled Search Path Element Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-2635965 Introduced through: git@1:2.30.2-1 From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1 From: git@1:2.30.2-1 ✗ Low severity vulnerability found in git/git-man Description: Uncontrolled Search Path Element Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-2949145 Introduced through: git@1:2.30.2-1 From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1 From: git@1:2.30.2-1 ✗ Low severity vulnerability found in git/git-man Description: Link Following Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-3051720 Introduced through: git@1:2.30.2-1 From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1 From: git@1:2.30.2-1 ✗ Low severity vulnerability found in git/git-man Description: Out-of-bounds Write Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-3051727 Introduced through: git@1:2.30.2-1 From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1 From: git@1:2.30.2-1 ✗ Low severity vulnerability found in git/git-man Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-514769 Introduced through: git@1:2.30.2-1 From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1 From: git@1:2.30.2-1 ✗ Low severity vulnerability found in expat/libexpat1 Description: XML External Entity (XXE) Injection Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-EXPAT-524217 Introduced through: git@1:2.30.2-1 From: git@1:2.30.2-1 > expat/libexpat1@2.2.10-2+deb11u5 ✗ Low severity vulnerability found in e2fsprogs/libext2fs2 Description: Out-of-bounds Read Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-E2FSPROGS-2628459 Introduced through: e2fsprogs/libext2fs2@1.46.2-2, e2fsprogs@1.46.2-2, e2fsprogs/libss2@1.46.2-2, e2fsprogs/logsave@1.46.2-2, meta-common-packages@meta From: e2fsprogs/libext2fs2@1.46.2-2 From: e2fsprogs@1.46.2-2 > e2fsprogs/libext2fs2@1.46.2-2 From: e2fsprogs/libss2@1.46.2-2 and 5 more... ✗ Low severity vulnerability found in db5.3/libdb5.3 Description: Out-of-bounds Read Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-DB53-2825168 Introduced through: git@1:2.30.2-1, curl@7.74.0-1.3+deb11u3, gnupg2/gnupg@2.2.27-2+deb11u2 From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2 > db5.3/libdb5.3@5.3.28+dfsg1-0.8 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 > cyrus-sasl2/libsasl2-2@2.1.27+dfsg-2.1+deb11u1 > cyrus-sasl2/libsasl2-modules-db@2.1.27+dfsg-2.1+deb11u1 > db5.3/libdb5.3@5.3.28+dfsg1-0.8 From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > pam/libpam-modules@1.4.0-9+deb11u1 > db5.3/libdb5.3@5.3.28+dfsg1-0.8 ✗ Low severity vulnerability found in curl/libcurl4 Description: Insufficiently Protected Credentials Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-1322659 Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 From: curl@7.74.0-1.3+deb11u3 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 ✗ Low severity vulnerability found in curl/libcurl4 Description: Improper Handling of Exceptional Conditions Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-1322667 Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 From: curl@7.74.0-1.3+deb11u3 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 ✗ Low severity vulnerability found in curl/libcurl4 Description: CVE-2022-43551 Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3179181 Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 From: curl@7.74.0-1.3+deb11u3 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 ✗ Low severity vulnerability found in curl/libcurl4 Description: CVE-2022-43552 Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3179186 Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 From: curl@7.74.0-1.3+deb11u3 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 ✗ Low severity vulnerability found in coreutils Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-COREUTILS-514776 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > ucf@3.0043 > coreutils@8.32-4 ✗ Low severity vulnerability found in coreutils Description: Race Condition Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-COREUTILS-527269 Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1 From: openssh/openssh-server@1:8.4p1-5+deb11u1 > ucf@3.0043 > coreutils@8.32-4 ✗ Low severity vulnerability found in bash Description: CVE-2022-3715 Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-BASH-3112361 Introduced through: bash@5.1-2+deb11u1 From: bash@5.1-2+deb11u1 ✗ Low severity vulnerability found in apt/libapt-pkg6.0 Description: Improper Verification of Cryptographic Signature Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-APT-522585 Introduced through: apt/libapt-pkg6.0@2.2.4, apt@2.2.4 From: apt/libapt-pkg6.0@2.2.4 From: apt@2.2.4 > apt/libapt-pkg6.0@2.2.4 From: apt@2.2.4 ✗ High severity vulnerability found in curl/libcurl4 Description: Cleartext Transmission of Sensitive Information Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3066040 Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 From: curl@7.74.0-1.3+deb11u3 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 ✗ Critical severity vulnerability found in curl/libcurl4 Description: Exposure of Resource to Wrong Sphere Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3065656 Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1 From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 From: curl@7.74.0-1.3+deb11u3 From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 Organization: robmonct Package manager: deb Project name: docker-image|ghcr.io/runatlantis/atlantis Docker image: ghcr.io/runatlantis/atlantis:dev-debian Platform: linux/arm64 Licenses: enabled Tested 155 dependencies for known issues, found 74 issues. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev-debian... Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/atlantis Project name: github.com/runatlantis/atlantis Docker image: ghcr.io/runatlantis/atlantis:dev-debian Licenses: enabled ✔ Tested 206 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev-debian... Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/cft/versions/0.37.0/conftest Project name: go-distribution@command-line-arguments Docker image: ghcr.io/runatlantis/atlantis:dev-debian Licenses: enabled ✔ Tested 530 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev-debian... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.6 From: golang.org/x/text/language@v0.3.6 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/text/internal/language Description: Out-of-bounds Read Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTINTERNALLANGUAGE-2400718 Introduced through: golang.org/x/text/internal/language@v0.3.6 From: golang.org/x/text/internal/language@v0.3.6 Fixed in: 0.3.7 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e Fixed in: 0.4.0 ✗ Medium severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b ✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031 Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.2 From: github.com/hashicorp/go-getter/helper/url@v1.5.2 Fixed in: 1.5.11 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688 Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e Fixed in: 0.0.0-20211209124913-491a49abca63 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 ✗ High severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2 Fixed in: 0.0.0-20211202192323-5770296d904e ✗ High severity vulnerability found in github.com/satori/go.uuid Description: Insecure Randomness Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 Introduced through: github.com/satori/go.uuid@v1.2.0 From: github.com/satori/go.uuid@v1.2.0 ✗ High severity vulnerability found in github.com/hashicorp/go-slug Description: Arbitrary File Write via Archive Extraction (Zip Slip) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOSLUG-1048304 Introduced through: github.com/hashicorp/go-slug@v0.4.1 From: github.com/hashicorp/go-slug@v0.4.1 Fixed in: 0.5.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Command Injection Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926 Introduced through: github.com/hashicorp/go-getter@v1.5.2 From: github.com/hashicorp/go-getter@v1.5.2 Fixed in: 1.6.1, 2.1.0 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.0.11/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev-debian Licenses: enabled Tested 576 dependencies for known issues, found 14 issues. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev-debian... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f Fixed in: 0.4.0 ✗ Medium severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b ✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url Description: Information Exposure Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031 Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.9 From: github.com/hashicorp/go-getter/helper/url@v1.5.9 Fixed in: 1.5.11 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.0 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.1 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 ✗ High severity vulnerability found in golang.org/x/crypto/ssh Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972 Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa Fixed in: 0.0.0-20211202192323-5770296d904e ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Command Injection Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 ✗ High severity vulnerability found in github.com/hashicorp/go-getter Description: Privilege Escalation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926 Introduced through: github.com/hashicorp/go-getter@v1.5.9 From: github.com/hashicorp/go-getter@v1.5.9 Fixed in: 1.6.1, 2.1.0 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.1.9/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev-debian Licenses: enabled Tested 623 dependencies for known issues, found 12 issues. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev-debian... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b Fixed in: 0.4.0 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.0 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: NULL Pointer Dereference Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b Fixed in: 3.0.1 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.2.9/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev-debian Licenses: enabled Tested 628 dependencies for known issues, found 5 issues. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev-debian... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc From: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc Fixed in: 0.4.0 Organization: robmonct Package manager: gomodules Target file: /usr/local/bin/tf/versions/1.3.6/terraform Project name: github.com/hashicorp/terraform Docker image: ghcr.io/runatlantis/atlantis:dev-debian Licenses: enabled Tested 590 dependencies for known issues, found 2 issues. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev-debian... Organization: robmonct Package manager: gomodules Target file: /bin/gosu Project name: github.com/tianon/gosu Docker image: ghcr.io/runatlantis/atlantis:dev-debian Licenses: enabled ✔ Tested 3 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- Testing ghcr.io/runatlantis/atlantis:dev-debian... ✗ Medium severity vulnerability found in golang.org/x/text/language Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869 Introduced through: golang.org/x/text/language@v0.3.7 From: golang.org/x/text/language@v0.3.7 Fixed in: 0.3.8 ✗ Medium severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322 Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 Fixed in: 0.4.0 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688 Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 Fixed in: 0.0.0-20211209124913-491a49abca63 ✗ High severity vulnerability found in golang.org/x/net/http2 Description: Denial of Service Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257 Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2 Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 Organization: robmonct Package manager: gomodules Target file: /usr/bin/git-lfs Project name: go-distribution@command-line-arguments Docker image: ghcr.io/runatlantis/atlantis:dev-debian Licenses: enabled Tested 62 dependencies for known issues, found 4 issues. Tested 9 projects, 6 contained vulnerable paths. ```

[nitrocode]

A lot of these are out of scope unfortunately. Please see my previous post and my edit of your last scan. Also please edit your post so it's a bit more digestible (see previous edit).

The debian vulnerabilities are mostly from the binaries available from their stable repo unfortunately. If we downloaded from their unstable repo, we could avoid these vulnerabilities for debian but then we'd be trading stability for security.

The older terraform binaries are also out of scope.

[robmonct]

Ok, thanks a lot for your work. Let's see if Hashicorp could fix those vulnerabilities but some of those versions seems to be a bit old. Do you think to offer a version of Atlantis with only Terraform 1.3.x and maybe another version with older TF versions to allow people between compatibility and security. Something like this: https://github.com/runatlantis/atlantis/pull/2901

[nitrocode]

I do not think they will fix the vulnerabilities in older versions of terraform.

May I ask, what is your current threat model? Why is it important to eliminate the older terraform version specific vulnerabilities from this container?

And I'd also like to remind that we encourage users to customize their own image so removing the tf binaries or any other customizations are welcomed and encouraged downstream. We want to make the maintenance and stability as easy as possible from our side.

[robmonct]

The main problem is that GitHub doesn't provide the option to configure webhook headers, so it is not possible to use GCP IAP to protect the endpoint.

[nitrocode]

@robmonct wouldn't the github web hook with a secret token be sufficient enough?

[robmonct]

No. For GCP IAP secret token isn't enough.

[nitrocode]

@robmonct please see this open issue regarding gcp iap. We can reopen that issue if it is needed or requires more documentation on the website

https://github.com/runatlantis/atlantis/issues/827