goss icon indicating copy to clipboard operation
goss copied to clipboard
verified publisher icon goss-org

Critical CVE on goss

Open ikheifets-splunk opened this issue 1 year ago • 2 comments

Describe the bug Critical CVE on goss

Screenshot 2024-06-25 at 10 19 11

How To Reproduce Use trivy to detect CVE, in our case it's has been detected on CI

Expected Behavior Haven't CVE

Actual Behavior CVE

Environment:

  • Version of goss: 0.4.7
  • OS/Distribution version: alpine 3.18.6

ikheifets-splunk avatar Jun 25 '24 08:06 ikheifets-splunk

@dklimpel this is a good opportunity to test the new trivy pipeline. Is it possible to reproduce this finding in the goss CI?

aelsabbahy avatar Jun 27 '24 16:06 aelsabbahy

You should be able to run the workflow manually: https://github.com/goss-org/goss/actions/workflows/docker-goss.yaml

But it probably won't find anything because the workflow creates a new build and the affected dependency seems to be indirect.

dklimpel avatar Jun 27 '24 21:06 dklimpel

Hmm, I wonder if it makes sense to have daily (or weekly) trivy run on the last published image?

aelsabbahy avatar Jul 03 '24 15:07 aelsabbahy

I think latest tagged release, not latest image.

dklimpel avatar Jul 03 '24 17:07 dklimpel

Any update on this bug ? @dklimpel @aelsabbahy

rjha-splunk avatar Jul 04 '24 09:07 rjha-splunk

@aelsabbahy @dklimpel I prepared PR with updating go version, because CVE located in stdlib

ikheifets-splunk avatar Jul 17 '24 07:07 ikheifets-splunk

Sorry for the delay on this. It seems there's some issues with CI. Still trying to debug.

oddly the working commit and the failing commit are exactly the same, so not sure if something changed on travis-ci or if there's another factor at play (e.g. docker test image caching).

aelsabbahy avatar Jul 18 '24 14:07 aelsabbahy

Update: Found the issue, I believe I merged in a fix. Unfortunately, I ran out of travis-ci OSS credits again, waiting on travis-ci to respond.

These issues will go away once the migration to GHA is complete. This is probably going to be the last release on the travis-ci workflow.

aelsabbahy avatar Jul 18 '24 19:07 aelsabbahy

@aelsabbahy thanks, no problem, sometimes such things happenings

ikheifets-splunk avatar Jul 18 '24 19:07 ikheifets-splunk

Just cut a new release, please confirm the CVE is gone and we can close out this ticket.

Many thanks for reporting this issue and contributing the fix!

Sorry this took a little while, the whole CI story is in a bit of a transition.

aelsabbahy avatar Jul 19 '24 15:07 aelsabbahy

@aelsabbahy thanks so much, I tested update on 0.4.8 and it's fixing this Critical CVE

ikheifets-splunk avatar Jul 20 '24 22:07 ikheifets-splunk