Vulnerabilities reported by Trivy

[niravparikh05]

Describe the Bug Multiple vulnerabilities were reported by image scan. We are using migrate/migrate:v4.15.2 binary as part of paralus and have added trivy image scanner as part of our CI. While doing so we saw multiple vulnerabilties reported by Trivy.

Library	Vulnerability	Severity	Installed Version	Fixed Version	Title
golang.org/x/crypto	CVE-2021-43565	HIGH	v0.0.0-20210921155107-089bfa567519	0.0.0-20211202192323-5770296d904e	golang.org/x/crypto: empty plaintext packet causes panic https://avd.aquasec.com/nvd/cve-2021-43565
golang.org/x/crypto	CVE-2022-27191	HIGH	v0.0.0-20210921155107-089bfa567519	0.0.0-20220314234659-1baeb1ce4c0b	crash in a golang.org/x/crypto/ssh server https://avd.aquasec.com/nvd/cve-2022-27191
golang.org/x/net	CVE-2022-27664	HIGH	v0.0.0-20220225172249-27dd8689420f	0.0.0-20220906165146-f3363e06e74c	handle server errors after sending GOAWAY https://avd.aquasec.com/nvd/cve-2022-27664
golang.org/x/net	CVE-2022-41723	HIGH	v0.0.0-20220225172249-27dd8689420f	0.7.0	avoid quadratic complexity in HPACK decoding https://avd.aquasec.com/nvd/cve-2022-41723
golang.org/x/text	CVE-2022-32149	HIGH	v0.3.7	0.3.8	golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags https://avd.aquasec.com/nvd/cve-2022-32149

Steps to Reproduce Scan the binary with some tools for finding vulnerabilities. In this case we have used trivy.

Expected Behavior No vulnerabilities are reported for the newest binary.

Additional context Most of these seems to be related to go libraries that are used within golang-migrate, updating those should fix the problem.

[dhui]

Hi @niravparikh05, thanks for the report! For future security disclosures, please follow our security policy.

v4.16.0 was recently released. Does your scanner still report any vulnerabilities with that version? All of our dependencies listed in you report are now pinned at newer versions.