tfsec icon indicating copy to clipboard operation
tfsec copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Updated go version

Open kalpanathanneeru21 opened this issue 1 year ago • 11 comments
trafficstars

tfsec showing couple of CRITICAL and HIGH CVE's in orca scan report with the latest version of tfsec. Existing go version is 1.19 Fixed go versions are 1.22.4, 1.22.5

[2024-07-23T13:25:19.022Z]       "target": "usr/bin/tfsec",
[2024-07-23T13:25:19.022Z]       "category": "lang-pkgs",
[2024-07-23T13:25:19.022Z]       "type": "gobinary",
[2024-07-23T13:25:19.022Z]       "vulnerabilities": [
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2024-24790",
[2024-07-23T13:25:19.022Z]           "severity": "CRITICAL",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.21.11, 1.22.4",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "9.8",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2024-6257",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "github.com/hashicorp/go-getter",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "v1.7.4",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.7.5",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "8.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "INFO",
[2024-07-23T13:25:19.022Z]             "status": "SKIPPED",
[2024-07-23T13:25:19.022Z]             "exception": {
[2024-07-23T13:25:19.022Z]               "expiration": "2024/07/28"
[2024-07-23T13:25:19.022Z]             }
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2023-39325",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.20.10, 1.21.3",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2023-45283",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.20.11, 1.21.4, 1.20.12, 1.21.5",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2023-45287",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.20.0",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         },
[2024-07-23T13:25:19.022Z]         {
[2024-07-23T13:25:19.022Z]           "vulnerability_id": "CVE-2024-24791",
[2024-07-23T13:25:19.022Z]           "severity": "HIGH",
[2024-07-23T13:25:19.022Z]           "pkg_name": "stdlib",
[2024-07-23T13:25:19.022Z]           "pkg_path": "",
[2024-07-23T13:25:19.022Z]           "installed_version": "1.19.13",
[2024-07-23T13:25:19.022Z]           "fixed_version": "1.21.12, 1.22.5",
[2024-07-23T13:25:19.022Z]           "cvss_v2_score": "",
[2024-07-23T13:25:19.022Z]           "cvss_v3_score": "7.5",
[2024-07-23T13:25:19.022Z]           "status_summary": {
[2024-07-23T13:25:19.022Z]             "priority": "HIGH",
[2024-07-23T13:25:19.022Z]             "status": "FAILED"
[2024-07-23T13:25:19.022Z]           }
[2024-07-23T13:25:19.022Z]         }

kalpanathanneeru21 avatar Jul 23 '24 16:07 kalpanathanneeru21

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jul 23 '24 16:07 CLAassistant

any expected timeline to merge this PR.

kalpanathanneeru21 avatar Jul 30 '24 05:07 kalpanathanneeru21

Hi @kalpanathanneeru21 !

The maintainer @simar7 is currently on holiday.

nikpivkin avatar Jul 30 '24 05:07 nikpivkin

Any update on this.

kalpanathanneeru21 avatar Aug 08 '24 07:08 kalpanathanneeru21

what is blocking this PR to get merged.

kalpanathanneeru21 avatar Aug 14 '24 06:08 kalpanathanneeru21

Just came here to say I'm interested as well on this PR be merged

cHiv0rz avatar Sep 02 '24 10:09 cHiv0rz

I believe we need go 1.22.7 because of: │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │ │ │ │ │ │ │ │ which contains deeply nested structures... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │

@kalpanathanneeru21 would mind updating your PR to 1.22.7?

jdesouza avatar Sep 25 '24 12:09 jdesouza

I believe we need go 1.22.7 because of: │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │ │ │ │ │ │ │ │ which contains deeply nested structures... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │

@kalpanathanneeru21 would mind updating your PR to 1.22.7?

Updated.

kalpanathanneeru21 avatar Sep 25 '24 13:09 kalpanathanneeru21

@kalpanathanneeru21 looks like CI is failing.

simar7 avatar Sep 28 '24 02:09 simar7

For those interested on this PR this one was released: https://github.com/aquasecurity/tfsec/commit/0da0cafba7a436d5c71a6360140d3bb6d794594c

jdesouza avatar Oct 04 '24 18:10 jdesouza

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 365 days.

github-actions[bot] avatar Nov 04 '24 15:11 github-actions[bot]

This PR was closed because it has been stalled for 365 days with no activity.

github-actions[bot] avatar Nov 05 '25 15:11 github-actions[bot]