terraform icon indicating copy to clipboard operation
terraform copied to clipboard
verified publisher icon hashicorp

Bump version of "github.com/golang-jwt/jwt/v4" to v4.4.3

Open Bjyothi2023 opened this issue 2 years ago • 1 comments

Terraform Version

Terraform version 1.6.3

Terraform Configuration Files

NA

Debug Output

Security vulnerability "PRISMA-2022-0270" reported because of "github.com/golang-jwt/jwt/v4" version v4.4.2. Fixed version available is v4.4.3 Requesting you to update "github.com/golang-jwt/jwt/v4" version from v4.4.2 to v4.4.3

Expected Behavior

Vulnerability scanner should not report PRISMA-2022-0270

Actual Behavior

Vulnerability scanner reporting PRISMA-2022-0270

Steps to Reproduce

By running twistlock security scanner over container installed with Terraform

Additional Context

No response

References

No response

Bjyothi2023 avatar Nov 23 '23 08:11 Bjyothi2023

Hi @Bjyothi2023,

According to the upstream issue https://github.com/golang-jwt/jwt/issues/258, this vulnerability report is invalid. The upstream maintainers suggest that the new release does not change anything material about the code and instead they've just clarified the documentation to reflect correct vs. incorrect usage of the library, and so upgrading alone would not be sufficient if there was a problem here.

For our part, we will review our usage of this library to ensure we are not using it in the incorrect way that issue discusses.

apparentlymart avatar Nov 28 '23 15:11 apparentlymart