Bump version of golang.org/x/sys to 0.0.0-20220412211240-33da011f77ad
gedeiswara opened this issue · comments
Need to bump version of golang.org/x/sys
library to 0.0.0-20220412211240-33da011f77ad due to this CVE
Detected by Trivy scanner earlier today.
├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼───────────────────────────────────────────────┤
│ golang.org/x/sys │ CVE-2022-29526 │ MEDIUM │ v0.0.0-20220408201424-a24fb2fb8a0f │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29526 │```
There are couple more discovered recently: CVE-2022-30580, CVE-2022-32189, CVE-2022-30635, CVE-2022-30633, CVE-2022-30632, CVE-2022-30631, CVE-2022-30630, CVE-2022-28131, CVE-2022-32148, CVE-2022-1705, and CVE-2022-1962. All are fixed in the go versions 1.17.13 and 1.18.5. @ahmetb could you please run the release pipeline?
@ahmetb friendly ping
Quite honestly, none of these tool-discovered security vulnerabilities are exploitable in a setting where you are running the probe on your container's loopback interface, against trusted server code that you own.
I am not going to be able to rebuild this project every week because Go open source has a security bug that doesn't impact this repo. If this bothers you a lot, I highly recommend you move off of this tool to use the new Kubernetes feature that replaces this tool (see README).
I just released v0.4.12 with updated Go version and Go library dependencies.