test-reporter icon indicating copy to clipboard operation
test-reporter copied to clipboard

Published 20 hours ago verified publisher icon codeclimate

Go Cryptography vulnerabilities detected by Docker Scan

Open gugacavalieri opened this issue 2 years ago • 1 comments

Reopening #496

Hi guys. Not sure if the binaries are actually being updated with the latest builds. This CVE is still showing for me.

Steps to reproduce it:

  1. Add Dockerfile
FROM alpine:3.17.2

# install codeclimate reporter
RUN wget --quiet https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 -O /usr/local/bin/cc-test-reporter \
  && chmod +x /usr/local/bin/cc-test-reporter
  1. Run a Docker scan
docker build -t cc-reporter-cve-test . && docker scout cves cc-reporter-cve-test

It comes back with the crypto CVEs that were supposably patched:

image

However, when I built the binary from my machine and copied it over to the Docker image it reported no CVEs. So I wonder if the binaries are being updated on CodeClimate's website.

gugacavalieri avatar Mar 21 '23 22:03 gugacavalieri

This issue seems to be down to the binary - that's currently being distributed - as using Go 1.15.15 which has some known issues:

# Via https://stackoverflow.com/a/18991157
% go version test-reporter-latest-linux-amd64
test-reporter-latest-linux-amd64: go1.15.15

As you mention, recompiling with a newer version of the Go toolchain will resolve this issue.

jamietanna avatar Jun 20 '23 12:06 jamietanna