Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies #85

Merged
merged 11 commits into from
Feb 19, 2025
Merged

Update dependencies #85

merged 11 commits into from
Feb 19, 2025

Conversation

matheusfm
Copy link
Contributor

Description

This PR bumps some dependencies versions and updates the vulnerability report from this:

trivy image --scanners vuln ghcr.io/undistro/marvin:v0.2.7
2025-02-19T16:18:22-03:00	INFO	[vuln] Vulnerability scanning is enabled
2025-02-19T16:18:24-03:00	INFO	Detected OS	family="alpine" version="3.20.3"
2025-02-19T16:18:24-03:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.20" repository="3.20" pkg_num=14
2025-02-19T16:18:24-03:00	INFO	Number of language-specific files	num=1
2025-02-19T16:18:24-03:00	INFO	[gobinary] Detecting vulnerabilities...
2025-02-19T16:18:24-03:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.

ghcr.io/undistro/marvin:v0.2.7 (alpine 3.20.3)

Total: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-12797 │ HIGH     │ fixed  │ 3.3.2-r1          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers    │
│            │                │          │        │                   │               │ don't abort as expected                                     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                  │
│            ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
├────────────┼────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2024-12797 │ HIGH     │        │                   │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers    │
│            │                │          │        │                   │               │ don't abort as expected                                     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                  │
│            ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ musl       │ CVE-2025-26519 │ UNKNOWN  │        │ 1.2.5-r0          │ 1.2.5-r1      │ musl libc 0.9.13 through 1.2.5 before 1.2.6 has an          │
│            │                │          │        │                   │               │ out-of-bounds write ......                                  │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-26519                  │
├────────────┤                │          │        │                   │               │                                                             │
│ musl-utils │                │          │        │                   │               │                                                             │
│            │                │          │        │                   │               │                                                             │
│            │                │          │        │                   │               │                                                             │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

marvin (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.23.0           │ 0.33.0                       │ golang.org/x/net/html: Non-linear parsing of                 │
│                  │                │          │        │                   │                              │ case-insensitive content in golang.org/x/net/html            │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45338                   │
├──────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-45336 │ MEDIUM   │        │ v1.22.8           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│                  │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│                  ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│                  │                │          │        │                   │                              │ bypass URI name...                                           │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│                  ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│                  │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

to this:

trivy image --scanners vuln ghcr.io/undistro/marvin:test
2025-02-19T16:41:34-03:00	INFO	[vuln] Vulnerability scanning is enabled
2025-02-19T16:41:35-03:00	INFO	Detected OS	family="alpine" version="3.21.3"
2025-02-19T16:41:35-03:00	WARN	This OS version is not on the EOL list	family="alpine" version="3.21"
2025-02-19T16:41:35-03:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.21" repository="3.21" pkg_num=15
2025-02-19T16:41:35-03:00	INFO	Number of language-specific files	num=1
2025-02-19T16:41:35-03:00	INFO	[gobinary] Detecting vulnerabilities...

ghcr.io/undistro/marvin:test (alpine 3.21.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Linked Issues

How has this been tested?

  • TAG=test make docker-build
  • trivy image --scanners vuln ghcr.io/undistro/marvin:test
  • kind create cluster; go run main.go scan

Checklist

  • I have labeled this PR with the relevant Type labels
  • I have documented my code (if applicable)
  • My changes are covered by tests

@matheusfm matheusfm requested a review from knrc February 19, 2025 19:44
@matheusfm matheusfm self-assigned this Feb 19, 2025
@matheusfm matheusfm merged commit 760c0c8 into main Feb 19, 2025
4 checks passed
@matheusfm matheusfm deleted the update-dependencies branch February 19, 2025 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knrc knrc knrc approved these changes

Assignees

@matheusfm matheusfm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matheusfm @knrc