Skip to content

Fix crypto libraries vulnerabilities #644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 21, 2023
Merged

Fix crypto libraries vulnerabilities #644

merged 1 commit into from
Dec 21, 2023

Conversation

EppO
Copy link
Contributor

@EppO EppO commented Oct 18, 2022
edited
Loading

Description of your changes

This change upgrade the alpine base image used by terraform-docs from 3.18.2 to 3.19.0 and crypto golang library that have vulnerabilities.

Vulnerability Report before the changes:

terraform-docs:vuln (alpine 3.18.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/local/bin/terraform-docs (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.16.0           │ 0.17.0        │ ssh: Prefix truncation attack on Binary Packet Protocol │
│                     │                │          │        │                   │               │ (BPP)                                                   │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-48795              │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

I have:

How has this code been tested

Vulnerability Report after the changes:

terraform-docs:trivy (alpine 3.19.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@khos2ow
Copy link
Member

khos2ow commented Dec 18, 2023

Thank you @EppO. Some of these have been upgraded as part of #695, #727 and also on going #673. Do you mind rebasing your PR and check if it's still needed?

@EppO
Copy link
Contributor Author

EppO commented Dec 21, 2023 

2023-12-21T11:23:53.692-0500    INFO    Vulnerability scanning is enabled
2023-12-21T11:23:53.692-0500    INFO    Secret scanning is enabled
2023-12-21T11:23:53.692-0500    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-21T11:23:53.692-0500    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-21T11:23:55.367-0500    INFO    Detected OS: alpine
2023-12-21T11:23:55.367-0500    WARN    This OS version is not on the EOL list: alpine 3.19
2023-12-21T11:23:55.367-0500    INFO    Detecting Alpine vulnerabilities...
2023-12-21T11:23:55.373-0500    INFO    Number of language-specific files: 1
2023-12-21T11:23:55.373-0500    INFO    Detecting gobinary vulnerabilities...

terraform-docs:trivy (alpine 3.19.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@EppO EppO changed the title Fix golang net and text libraries vulnerabilities Fix crypto libraries vulnerabilities Dec 21, 2023
@EppO
Update go crypto lib to v0.17.0
656aa7c 
Signed-off-by: Florent Monbillard <f.monbillard@gmail.com>
@khos2ow khos2ow added the dependencies Pull requests that update a dependency file label Dec 21, 2023
@khos2ow khos2ow merged commit 7843ec2 into terraform-docs:master Dec 21, 2023
@EppO EppO deleted the net-text-vulns branch December 21, 2023 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@khos2ow khos2ow khos2ow approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file size/XS
Projects
No open projects
v0.18
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@EppO @khos2ow