controller-runtime icon indicating copy to clipboard operation
controller-runtime copied to clipboard
verified publisher icon kubernetes-sigs

Running OWASP dependency check against controller-runtime shows many vulnerabilities

Open arvindsvenkat opened this issue 3 years ago • 0 comments

We use the OWASP dependency check client (v7.0.0) for package verification in our builds. It basically scans go.mod/sum files against an existing database of issues and tells us if there are issues or vulnerabilities with certain packages.

As of v0.11.x, the resulting list of dependencies was huge. I recently tried with v0.12.3 and the vulnerabilities have reduced quite a lot but there are still some major issues. I have attached the go.mod, go.sum and the resulting html file with the list of vulnerabilities.

Is the team aware of these vulnerabilities? If so, are there plans on addressing it? Also, is there any other tool that the team uses to check for vulnerabilities?

go.mod.txt go.sum.txt dependency-check-report-with-controller-runtime.html.txt

arvindsvenkat avatar Jul 28 '22 15:07 arvindsvenkat