Testcontainers for Go is a Go package that makes it simple to create and clean up container-based dependencies for automated integration/smoke tests. The clean, easy-to-use API enables developers to programmatically define containers that should be run as part of a test and clean up those resources when the test is done.
A new vulnerability was found in the crypto dependency, which is used by testcontainers!
I strongly recommend bumping that dependency, as SonarQube and other tools do not let pipelines through!
Vulnerability #1: GO-2023-1621
The ScalarMult and ScalarBaseMult methods of the P256 Curve may
return an incorrect result if called with some specific
unreduced scalars (a scalar larger than the order of the curve).
This does not impact usages of crypto/ecdsa or crypto/ecdh.
More info: https://pkg.go.dev/vuln/GO-2023-1621
Standard library
Found in: crypto/internal/nistec@go1.20.1
Fixed in: crypto/internal/nistec@go1.20.2
Relevant log output
Vulnerability #1: GO-2023-1621
The ScalarMult and ScalarBaseMult methods of the P256 Curve may
return an incorrect result if called with some specific
unreduced scalars (a scalar larger than the order of the curve).
This does not impact usages of crypto/ecdsa or crypto/ecdh.
More info: https://pkg.go.dev/vuln/GO-2023-1621
Standard library
Found in: crypto/internal/nistec@go1.20.1
Fixed in: crypto/internal/nistec@go1.20.2
Testcontainers version
0.19.0
Using the latest Testcontainers version?
Yes
Host OS
Linux
Host arch
ARM
Go version
1.20
Docker version
Docker info
What happened?
A new vulnerability was found in the crypto dependency, which is used by testcontainers!
I strongly recommend bumping that dependency, as SonarQube and other tools do not let pipelines through!
Relevant log output
Additional information
https://pkg.go.dev/vuln/GO-2023-1621