go-replace icon indicating copy to clipboard operation
go-replace copied to clipboard

Published 20 hours ago verified publisher icon webdevops

CVE-2022-29526 - golang.org/x/sys

Open rchassaigne opened this issue 2 years ago • 3 comments
trafficstars

Hello,

When scanning a Docker image from webdevops with any inspector (eg: AWS Inspector). It only has one CVE remaining in the image. CVE-2022-29526 on file path: usr/local/bin/go-replace.

The recommanded remediation is : Upgrade your installed software packages to the proposed fixed in version and release.

  • Update sys to 0.1.0

Is it possible to upgrade this package to 0.1.0 ? Actually it is v0.0.0-20220928140112-f11e5e49a4ec

Regards.

rchassaigne avatar Jun 09 '23 12:06 rchassaigne

Hi,

I've experienced the same when scanning a Docker image that was built using webdevops/php-nginx:8.2 in AWS Inspector. The scan shows that the vulnerability CVE-2022-29526 exists on /usr/local/bin/go-replace.

It looks like the go-replace's dependency github.com/jessevdk/go-flags which is using the golang.org/x/sys package hasn't updated their dependencies.

nick-delgado avatar Jul 26 '23 20:07 nick-delgado

Hi,

It seems to be in go.mod but is marked as indirect. Maybe I should open a issue into go-flags to update the sys package dependencies ?

EDIT: An issues has already been opened in the package and the recommandation seems to uses another fork package : go-flags-fork with golang.org/x/sys v0.10.0 as dependancy.

rchassaigne avatar Aug 01 '23 08:08 rchassaigne

No news, last commit / release a year ago. Dead project?

Silmerias avatar Nov 09 '23 16:11 Silmerias