CVE-2023-24538
Lucas-C opened this issue · comments
Hi!
We use your package in our enterprise,
and our tooling (specifically Jfrog Artifactory XRay)
is reporting a security issue with @ls-lint/ls-lint related to CVE-2023-24538
10:41:26 Security Violations
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | SEVERITY | DIRECT | DIRECT | IMPACTED | IMPACTED | FIXED | TYPE | CVE |
10:41:26 | | DEPENDENCY | DEPENDENCY | DEPENDENCY | DEPENDENCY | VERSIONS | | |
10:41:26 | | | VERSION | NAME | VERSION | | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | Critical | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.19.8] | Go | CVE-2023-24538 |
10:41:26 | | | | | | [1.20.3] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.17.12] | Go | CVE-2022-28131 |
10:41:26 | | | | | | [1.18.4] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.17.12] | Go | CVE-2022-30630 |
10:41:26 | | | | | | [1.18.4] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.19.8] | Go | CVE-2023-24536 |
10:41:26 | | | | | | [1.20.3] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.17.12] | Go | CVE-2022-30631 |
10:41:26 | | | | | | [1.18.4] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.17.12] | Go | CVE-2022-30635 |
10:41:26 | | | | | | [1.18.4] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.17.12] | Go | CVE-2022-30632 |
10:41:26 | | | | | | [1.18.4] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.18.9] | Go | CVE-2022-41720 |
10:41:26 | | | | | | [1.19.4] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.19.6] | Go | CVE-2022-41725 |
10:41:26 | | | | | | [1.20.1] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.17.12] | Go | CVE-2022-30633 |
10:41:26 | | | | | | [1.18.4] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.18.7] | Go | CVE-2022-41715 |
10:41:26 | | | | | | [1.19.2] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.17.13] | Go | CVE-2022-32189 |
10:41:26 | | | | | | [1.18.5] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.19.8] | Go | CVE-2023-24537 |
10:41:26 | | | | | | [1.20.3] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.17.11] | Go | CVE-2022-30580 |
10:41:26 | | | | | | [1.18.3] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.18.7] | Go | CVE-2022-2879 |
10:41:26 | | | | | | [1.19.2] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.17.11] | Go | CVE-2022-30634 |
10:41:26 | | | | | | [1.18.3] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.18.8] | Go | CVE-2022-41716 |
10:41:26 | | | | | | [1.19.3] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.18.7] | Go | CVE-2022-2880 |
10:41:26 | | | | | | [1.19.2] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.19.6] | Go | CVE-2022-41722 |
10:41:26 | | | | | | [1.20.1] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.19.8] | Go | CVE-2023-24534 |
10:41:26 | | | | | | [1.20.3] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.19.6] | Go | CVE-2022-41724 |
10:41:26 | | | | | | [1.20.1] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
10:41:26 | High | @ls-lint/ls-lint | 1.11.2 | github.com/golang/go | 1.18.2 | [1.17.11] | Go | CVE-2022-29804 |
10:41:26 | | | | | | [1.18.3] | | |
10:41:26 +----------+------------------+------------+----------------------+------------+-----------+------+----------------+
It appears that you use a static / fixed version of Go 1.18 in https://github.com/loeffel-io/ls-lint/blob/master/go.mod
Would it be possible to upgrade this version and perform a new release of @ls-lint/ls-lint please? 😊
Hey @Lucas-C,
i am already working on v2 on the https://github.com/loeffel-io/ls-lint/tree/feature/loeffel-io/v2 branch since our drone ci is not longer working.
The v2 will be based on Bazel and Github Actions: the go version can be configured specifically.
There is no ETA for v2 at the moment.
ref: #36
OK, thank you for your feedback @loeffel-io
This is fixed by https://github.com/loeffel-io/ls-lint/releases/tag/v2.0.0-beta.0
v2.0.0 is out: https://github.com/loeffel-io/ls-lint/releases/tag/v2.0.0
Splendid, thank you @loeffel-io 👍
We will test it asap