terrajet
terrajet copied to clipboard
Fix security vulnerabilities with hashicorp/go-getter upgrade to v1.6.1
What happened?
Security vulnerability scanners like Twistlock and Snyk are reporting security issues introduced by hashicorp/go-getter on images built using Terrajet. These security vulnerabilities are classified as critical and preventing us from using the built images. The CVEs are:
CVE-2022-30322 CVE-2022-30321 CVE-2022-26945 CVE-2022-30323
How can we reproduce it?
Point the Snyk to the Git repository to run scurity scan (eg: https://github.com/crossplane-contrib/provider-jet-datadog, https://github.com/crossplane/terrajet). The report points out the security vulnerabilities.
Potential fix?
These CVEs can be resolved by using the hashicorp/go-getter v1.6.1 or 2.1.0.