Closed nvuillam closed 4 months ago
trivy finds vulnerabilities in protolint
Would it be possible to upgrade dependencies to their fixed version ? I'd love that for MegaLinter :)
Many thanks :)
Job: https://github.com/oxsecurity/megalinter/actions/runs/8862893746/job/24336362772?pr=3518
CVEs:
┌────────────────────────┬─────────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────┼─────────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2021-33194 │ HIGH │ fixed │ v0.0.0-2020[102](https://github.com/oxsecurity/megalinter/actions/runs/8862893746/job/24336362772?pr=3518#step:10:103)1035429-f5854403a974 │ 0.0.0-20210520170846-37e1c6afe023 │ golang: x/net/html: infinite loop in ParseFragment │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33194 │ │ ├─────────────────────┤ │ │ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-27664 │ │ │ │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │ │ ├─────────────────────┤ │ │ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-41723 │ │ │ │ 0.7.0 │ net/http, golang.org/x/net/http2: avoid quadratic complexity │ │ │ │ │ │ │ │ in HPACK decoding │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │ │ ├─────────────────────┤ │ │ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-39325 │ │ │ │ 0.17.0 │ golang: net/http, x/net/http2: rapid stream resets can cause │ │ │ │ │ │ │ │ excessive work (CVE-2023-44487) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │ ├────────────────────────┼─────────────────────┤ │ ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ golang.org/x/text │ CVE-2021-38561 │ │ │ v0.3.3 │ 0.3.7 │ golang: out-of-bounds read in golang.org/x/text/language │ │ │ │ │ │ │ │ leads to DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-38561 │ │ ├─────────────────────┤ │ │ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-32149 │ │ │ │ 0.3.8 │ golang: golang.org/x/text/language: ParseAcceptLanguage │ │ │ │ │ │ │ │ takes a long time to parse complex tags │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │ ├────────────────────────┼─────────────────────┤ │ ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ google.golang.org/grpc │ GHSA-m425-mq94-257g │ │ │ v1.46.0 │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-m425-mq94-257g │ └────────────────────────┴─────────────────────┴──────────┴────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘
@nvuillam Thank you for your report! I have updated these vulnerable dependencies to the latest in v0.49.7.
Please confirm it when you have a moment.
@yoheimuta we're all good, no CVE anymore :)
trivy finds vulnerabilities in protolint
Would it be possible to upgrade dependencies to their fixed version ? I'd love that for MegaLinter :)
Many thanks :)
Job: https://github.com/oxsecurity/megalinter/actions/runs/8862893746/job/24336362772?pr=3518
CVEs: