High rated vulnerability in `golang.org/x/text` (CVE-2022-32149)

[mix4242]

Hi there 👋🏻

There exists a high rated vulnerability in golang.org/x/text at v0.3.7 which is fixed in v0.3.8. The CVE is CVE-2022-32149.

To reproduce scan the latest 6.7.11 docker image with trivy as follows:

Trivy vulnerability scan

``` /Users/max > trivy image --scanners vuln --ignore-unfixed --severity high rwynn/monstache:6.7.11 2023-04-28T08:08:45.886+0100 INFO Vulnerability scanning is enabled 2023-04-28T08:08:45.908+0100 INFO Detected OS: alpine 2023-04-28T08:08:45.908+0100 INFO Detecting Alpine vulnerabilities... 2023-04-28T08:08:45.909+0100 INFO Number of language-specific files: 1 2023-04-28T08:08:45.909+0100 INFO Detecting gobinary vulnerabilities... rwynn/monstache:6.7.11 (alpine 3.15.0) Total: 34 (HIGH: 34) (...OMITTED...) bin/monstache (gobinary) Total: 1 (HIGH: 1) ┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤ │ golang.org/x/text │ CVE-2022-32149 │ HIGH │ v0.3.7 │ 0.3.8 │ golang: golang.org/x/text/language: ParseAcceptLanguage │ │ │ │ │ │ │ takes a long time to parse complex tags │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │ └───────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘ ```

Please could version v0.3.8 be used to fix this vulnerability :)

Thank you

P.S. Never used golang but if someone could confirm it's just a case of adding

golang.org/x/text v0.3.8 // indirect

in go.mod I'd be happy to open a PR :)