terrajet icon indicating copy to clipboard operation
terrajet copied to clipboard

Published 20 hours ago verified publisher icon crossplane

Fix security vulnerabilities with hashicorp/go-getter upgrade to v1.6.1

Open nimish22 opened this issue 1 year ago • 0 comments

What happened?

Security vulnerability scanners like Twistlock and Snyk are reporting security issues introduced by hashicorp/go-getter on images built using Terrajet. These security vulnerabilities are classified as critical and preventing us from using the built images. The CVEs are:

CVE-2022-30322 CVE-2022-30321 CVE-2022-26945 CVE-2022-30323

How can we reproduce it?

Point the Snyk to the Git repository to run scurity scan (eg: https://github.com/crossplane-contrib/provider-jet-datadog, https://github.com/crossplane/terrajet). The report points out the security vulnerabilities.

Potential fix?

These CVEs can be resolved by using the hashicorp/go-getter v1.6.1 or 2.1.0.

nimish22 avatar Aug 16 '22 21:08 nimish22