Open elchenberg opened 6 months ago
The github.com/hashicorp/go-getter package v1.7.0 has a CRITICAL vulnerability (CVE-2024-3817) and should be updated to v1.7.4.
trivy filesystem --scanners vuln --severity CRITICAL . # or make docker-build trivy image --scanners vuln --severity CRITICAL "docker-terrascan-local.artifactory.eng.tenable.com/terrascan:$(cat dockerhub-image-label.txt)"
Output:
2024-05-27T13:13:21+02:00 INFO Vulnerability scanning is enabled 2024-05-27T13:13:21+02:00 INFO Detected OS family="alpine" version="3.16.9" 2024-05-27T13:13:21+02:00 INFO [alpine] Detecting vulnerabilities... os_version="3.16" repository="3.16" pkg_num=32 2024-05-27T13:13:21+02:00 INFO Number of language-specific files num=1 2024-05-27T13:13:21+02:00 INFO [gobinary] Detecting vulnerabilities... 2024-05-27T13:13:21+02:00 WARN This OS version is no longer supported by the distribution family="alpine" version="3.16.9" 2024-05-27T13:13:21+02:00 WARN The vulnerability detection may be insufficient because security updates are not provided docker-terrascan-local.artifactory.eng.tenable.com/terrascan:4422eb52 (alpine 3.16.9) Total: 0 (CRITICAL: 0) go/bin/terrascan (gobinary) Total: 4 (CRITICAL: 4) ┌────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/hashicorp/go-getter │ CVE-2024-3817 │ CRITICAL │ fixed │ v1.7.0 │ 1.7.4 │ HashiCorp\u2019s go-getter library is vulnerable to argument │ │ │ │ │ │ │ │ injection ... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-3817 │ ├────────────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/moby/buildkit │ CVE-2024-23652 │ │ │ v0.8.3 │ 0.12.5 │ moby/buildkit: possible host system access from mount stub │ │ │ │ │ │ │ │ cleaner │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23652 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-23653 │ │ │ │ │ moby/buildkit: Buildkit's interactive containers API does │ │ │ │ │ │ │ │ not validate entitlements check │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23653 │ ├────────────────────────────────┼────────────────┤ ├──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ gopkg.in/src-d/go-git.v4 │ CVE-2023-49569 │ │ affected │ v4.13.1 │ │ go-git: Maliciously crafted Git server replies can lead to │ │ │ │ │ │ │ │ path traversal and... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-49569 │ └────────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ ``
currently working on this issue to resolve the vulnerability, will merge PR soon.
These are resolved in latest version of terrascan v1.19.9. Please check.
Description
The github.com/hashicorp/go-getter package v1.7.0 has a CRITICAL vulnerability (CVE-2024-3817) and should be updated to v1.7.4.
What I Did
Output: