Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate CVEs on UDS CLI #898

Open
3 tasks
koesbong opened this issue Sep 4, 2024 · 2 comments
Open
3 tasks

Investigate CVEs on UDS CLI #898

koesbong opened this issue Sep 4, 2024 · 2 comments
Labels
tech-debt

Comments

@koesbong
Copy link

koesbong commented Sep 4, 2024
edited by decleaver
Loading

Describe what should be investigated or refactored

Please look at the list of CVEs below and identify how we can resolve them.

Additional context

➜  uds-cli git:(main) grype .
 ✔ Vulnerability DB                [updated]
 ✔ Indexed file system                                                                                                                                    .
 ✔ Cataloged contents                                                                      cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
   ├── ✔ Packages                        [1,075 packages]
   └── ✔ Executables                     [1 executables]
 ✔ Scanned for vulnerabilities     [29 vulnerability matches]
   ├── by severity: 4 critical, 5 high, 16 medium, 0 low, 0 negligible (4 unknown)
   └── by status:   16 fixed, 13 not-fixed, 0 ignored
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME                                              INSTALLED             FIXED-IN  TYPE       VULNERABILITY        SEVERITY
github.com/Azure/azure-sdk-for-go/sdk/azidentity  v1.5.1                1.6.0     go-module  GHSA-m5vv-6r4h-3vj9  Medium
github.com/docker/docker                          v24.0.7+incompatible  25.0.6    go-module  GHSA-v23v-6jw2-98fq  Critical
github.com/docker/docker                          v24.0.7+incompatible  24.0.9    go-module  GHSA-xw73-rw38-6vjc  Medium
github.com/docker/docker                          v24.0.9+incompatible  25.0.6    go-module  GHSA-v23v-6jw2-98fq  Critical
github.com/go-jose/go-jose/v3                     v3.0.1                3.0.3     go-module  GHSA-c5q2-7r4c-mv6g  Medium
github.com/hashicorp/go-getter                    v1.7.3                1.7.4     go-module  GHSA-q64h-39hv-4cf7  Critical
github.com/hashicorp/go-getter                    v1.7.3                1.7.5     go-module  GHSA-xfhp-jf8p-mh5w  High
github.com/hashicorp/go-retryablehttp             v0.7.5                0.7.7     go-module  GHSA-v6v8-xj6m-xwqh  Medium
github.com/mholt/archiver/v3                      v3.5.1                          go-module  GHSA-rhh4-rh7c-7r5v  Medium
github.com/sigstore/cosign/v2                     v2.2.3                2.2.4     go-module  GHSA-95pr-fxf5-86gv  Medium
github.com/sigstore/cosign/v2                     v2.2.3                2.2.4     go-module  GHSA-88jx-383q-w4qc  Medium
golang.org/x/net                                  v0.21.0               0.23.0    go-module  GHSA-4v7x-pqxf-cx7m  Medium
google.golang.org/protobuf                        v1.32.0               1.33.0    go-module  GHSA-8r3f-844c-mc37  Medium
gopkg.in/go-jose/go-jose.v2                       v2.6.1                2.6.3     go-module  GHSA-c5q2-7r4c-mv6g  Medium
helm.sh/helm/v3                                   v3.14.1               3.14.2    go-module  GHSA-r53h-jv2g-vpx6  High
helm.sh/helm/v3                                   v3.14.1                         go-module  GHSA-jw44-4f3j-q396  Medium
stdlib                                            go1.21.6                        go-module  CVE-2024-24790       Critical
stdlib                                            go1.21.6                        go-module  CVE-2024-24791       High
stdlib                                            go1.21.6                        go-module  CVE-2024-24784       High
stdlib                                            go1.21.6                        go-module  CVE-2023-45288       High
stdlib                                            go1.21.6                        go-module  CVE-2024-24789       Medium
stdlib                                            go1.21.6                        go-module  CVE-2024-24787       Medium
stdlib                                            go1.21.6                        go-module  CVE-2024-24785       Unknown
stdlib                                            go1.21.6                        go-module  CVE-2024-24783       Unknown
stdlib                                            go1.21.6                        go-module  CVE-2023-45290       Unknown
stdlib                                            go1.21.6                        go-module  CVE-2023-45289       Unknown
A newer version of grype is available for download: 0.80.0 (installed version is 0.79.3)

Tasks
Beta Give feedback
@decleaver decleaver self-assigned this Sep 4, 2024
@decleaver
Copy link
Collaborator

So running locally, with the latest version of grype and with the latest code from uds-cli, I am getting:
image
The critical docker finding is getting pulled in from github.com/defenseunicorns/pkg/oci@v1.0.1 which they have a PR out for: defenseunicorns/pkg#116

@UncleGedd
Copy link
Collaborator

@decleaver any issue with the dependency-scan CI job? What do you think of swapping to grype? Noting in the pkg repo they use syft and grype

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tech-debt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@koesbong @UncleGedd @decleaver