mrtazz
CVE alerts
Trivy detects the following CVEs
Please would it be possible to upgrade the related packages to remove them ? :)
usr/bin/checkmake (gobinary)
============================
Total: 43 (HIGH: 40, CRITICAL: 3)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2022-23806 │ CRITICAL │ fixed │ 1.13.15 │ 1.16.14, 1.17.7 │ golang: crypto/elliptic: IsOnCurve returns true for invalid │
│ │ │ │ │ │ │ field elements │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23806 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24538 │ │ │ │ 1.19.8, 1.20.3 │ golang: html/template: backticks not treated as string │
│ │ │ │ │ │ │ delimiters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24538 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24540 │ │ │ │ 1.19.9, 1.20.4 │ golang: html/template: improper handling of JavaScript │
│ │ │ │ │ │ │ whitespace │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24540 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-27918 │ HIGH │ │ │ 1.15.9, 1.16.1 │ golang: encoding/xml: infinite loop when using │
│ │ │ │ │ │ │ xml.NewTokenDecoder with a custom TokenReader │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-27918 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-33195 │ │ │ │ 1.15.13, 1.16.5 │ golang: net: lookup functions may return invalid host names │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33195 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-33196 │ │ │ │ │ golang: archive/zip: malformed archive may cause panic or │
│ │ │ │ │ │ │ memory exhaustion │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33196 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-33198 │ │ │ │ │ golang: math/big.Rat: may cause a panic or an unrecoverable │
│ │ │ │ │ │ │ fatal error if... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33198 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39293 │ │ │ │ 1.16.8, 1.17.1 │ golang: archive/zip: malformed archive may cause panic or │
│ │ │ │ │ │ │ memory exhaustion (incomplete fix... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39293 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-41771 │ │ │ │ 1.16.10, 1.17.3 │ golang: debug/macho: invalid dynamic symbol table command │
│ │ │ │ │ │ │ can cause panic │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-41771 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-41772 │ │ │ │ │ golang: archive/zip: Reader.Open panics on empty string │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-41772 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-44716 │ │ │ │ 1.16.12, 1.17.5 │ golang: net/http: limit growth of header canonicalization │
│ │ │ │ │ │ │ cache │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44716 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-23772 │ │ │ │ 1.16.14, 1.17.7 │ golang: math/big: uncontrolled memory consumption due to an │
│ │ │ │ │ │ │ unhandled overflow via Rat.SetString... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23772 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-24675 │ │ │ │ 1.17.9, 1.18.1 │ golang: encoding/pem: fix stack overflow in Decode │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24675 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-24921 │ │ │ │ 1.16.15, 1.17.8 │ golang: regexp: stack exhaustion via a deeply nested │
│ │ │ │ │ │ │ expression │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24921 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-27664 │ │ │ │ 1.18.6, 1.19.1 │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-28[131](https://github.com/oxsecurity/megalinter/actions/runs/9006221553/job/24743267140?pr=3540#step:10:132) │ │ │ │ 1.17.12, 1.18.4 │ golang: encoding/xml: stack exhaustion in Decoder.Skip │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-28131 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-28327 │ │ │ │ 1.17.9, 1.18.1 │ golang: crypto/elliptic: panic caused by oversized scalar │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-28327 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2879 │ │ │ │ 1.18.7, 1.19.2 │ golang: archive/tar: unbounded memory consumption when │
│ │ │ │ │ │ │ reading headers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2879 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2880 │ │ │ │ │ golang: net/http/httputil: ReverseProxy should not forward │
│ │ │ │ │ │ │ unparseable query parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2880 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-29804 │ │ │ │ 1.17.11, 1.18.3 │ ELSA-2022-17957: ol8addon security update (IMPORTANT) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29804 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30580 │ │ │ │ │ golang: os/exec: Code injection in Cmd.Start │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30580 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30630 │ │ │ │ 1.17.12, 1.18.4 │ golang: io/fs: stack exhaustion in Glob │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30630 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30631 │ │ │ │ │ golang: compress/gzip: stack exhaustion in Reader.Read │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30631 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30632 │ │ │ │ │ golang: path/filepath: stack exhaustion in Glob │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30632 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30633 │ │ │ │ │ golang: encoding/xml: stack exhaustion in Unmarshal │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30633 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30634 │ │ │ │ 1.17.11, 1.18.3 │ ELSA-2022-17957: ol8addon security update (IMPORTANT) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30634 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30635 │ │ │ │ 1.17.12, 1.18.4 │ golang: encoding/gob: stack exhaustion in Decoder.Decode │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30635 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-32189 │ │ │ │ 1.17.13, 1.18.5 │ golang: math/big: decoding big.Float and big.Rat types can │
│ │ │ │ │ │ │ panic if the encoded... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32189 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4[171](https://github.com/oxsecurity/megalinter/actions/runs/9006221553/job/24743267140?pr=3540#step:10:172)5 │ │ │ │ 1.18.7, 1.19.2 │ golang: regexp/syntax: limit memory used by parsing regexps │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41715 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41716 │ │ │ │ 1.18.8, 1.19.3 │ Due to unsanitized NUL values, attackers may be able to │
│ │ │ │ │ │ │ maliciously se... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41716 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4[172](https://github.com/oxsecurity/megalinter/actions/runs/9006221553/job/24743267140?pr=3540#step:10:173)0 │ │ │ │ 1.18.9, 1.19.4 │ golang: os, net/http: avoid escapes from os.DirFS and │
│ │ │ │ │ │ │ http.Dir on Windows │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41720 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41722 │ │ │ │ 1.19.6, 1.20.1 │ golang: path/filepath: path-filepath filepath.Clean path │
│ │ │ │ │ │ │ traversal │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41722 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41723 │ │ │ │ │ net/http, golang.org/x/net/http2: avoid quadratic complexity │
│ │ │ │ │ │ │ in HPACK decoding │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41724 │ │ │ │ │ golang: crypto/tls: large handshake records may cause panics │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-[202](https://github.com/oxsecurity/megalinter/actions/runs/9006221553/job/24743267140?pr=3540#step:10:203)2-41724 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41725 │ │ │ │ │ golang: net/http, mime/multipart: denial of service from │
│ │ │ │ │ │ │ excessive resource consumption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41725 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24534 │ │ │ │ 1.19.8, 1.20.3 │ golang: net/http, net/textproto: denial of service from │
│ │ │ │ │ │ │ excessive memory allocation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24534 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24536 │ │ │ │ │ golang: net/http, net/textproto, mime/multipart: denial of │
│ │ │ │ │ │ │ service from excessive resource consumption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24536 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24537 │ │ │ │ │ golang: go/parser: Infinite loop in parsing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24537 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24539 │ │ │ │ 1.19.9, 1.20.4 │ golang: html/template: improper sanitization of CSS values │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24539 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29400 │ │ │ │ │ golang: html/template: improper handling of empty HTML │
│ │ │ │ │ │ │ attributes │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29400 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29403 │ │ │ │ 1.19.10, 1.20.5 │ golang: runtime: unexpected behavior of setuid/setgid │
│ │ │ │ │ │ │ binaries │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29403 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45283 │ │ │ │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\ │
│ │ │ │ │ │ │ prefix as... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45283 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45287 │ │ │ │ 1.20.0 │ golang: crypto/tls: Timing Side Channel attack in RSA based │
│ │ │ │ │ │ │ TLS key exchanges.... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45287 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘
@mrtazz @trinitronx any chance that this issue will be processed soon ? 🥺 Otherwise i'll have to remove checkmake from the next version of MegaLinter, we can not afford to have linters with security issues :/
hmm how did you generate that list? I thought I had dependabot enabled for security updates. But I'll take another look. If you can provide a way how to generate that output so we can cross check it, that would be useful.
@mrtazz I use trivy :)
You can add it as a GitHub action easily -> https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#using-trivy-to-scan-your-git-repo
Addendum; I think that upgrading your base go version should do the job :)
@mrtazz @trinitronx any chance that this issue will be processed soon ? 🥺 Otherwise i'll have to remove checkmake from the next version of MegaLinter, we can not afford to have linters with security issues :/
Addendum; I think that upgrading your base go version should do the job :)
Hmm, if it's just a go version + dependency update, I can try to handle it. 🤔
Although, maybe my system's go version (1.24.4) was already too new to reproduce the scan results...
Expand for trivy scan results
$ docker run --rm -ti -v $(pwd):/app --entrypoint=/bin/sh aquasec/trivy
# trivy fs /app/checkmake
2025-07-16T09:36:28Z INFO [vulndb] Need to update DB
2025-07-16T09:36:28Z INFO [vulndb] Downloading vulnerability DB...
2025-07-16T09:36:28Z INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
66.52 MiB / 66.52 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 19.85 MiB p/s 3.6s
2025-07-16T09:36:32Z INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-07-16T09:36:32Z INFO [vuln] Vulnerability scanning is enabled
2025-07-16T09:36:32Z INFO [secret] Secret scanning is enabled
2025-07-16T09:36:32Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-07-16T09:36:32Z INFO [secret] Please see also https://trivy.dev/v0.64/docs/scanner/secret#recommendation for faster secret detection
2025-07-16T09:36:32Z INFO Number of language-specific files num=0
2025-07-16T09:36:32Z WARN [report] Supported files for scanner(s) not found. scanners=[vuln]
2025-07-16T09:36:32Z INFO [report] No issues detected with scanner(s). scanners=[secret]
Report Summary
┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│ - │ - │ - │ - │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
# trivy fs /app/
2025-07-16T09:43:53Z INFO [vuln] Vulnerability scanning is enabled
2025-07-16T09:43:53Z INFO [secret] Secret scanning is enabled
2025-07-16T09:43:53Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-07-16T09:43:53Z INFO [secret] Please see also https://trivy.dev/v0.64/docs/scanner/secret#recommendation for faster secret detection
2025-07-16T09:43:54Z INFO Number of language-specific files num=1
2025-07-16T09:43:54Z INFO [gomod] Detecting vulnerabilities...
Report Summary
┌────────┬───────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼───────┼─────────────────┼─────────┤
│ go.mod │ gomod │ 0 │ - │
└────────┴───────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
I've updated the go.mod & go.sum to go1.24.4 on my branch here: trinitronx/checkmake@fix-issue-99-trivy-vuln-detections. Since I could not reproduce the scan results, could you re-scan it, just to be sure?
@trinitronx i think i found the issue source :)
We're using your docker image to embed checkmake without MegaLinter
FROM mrtazz/checkmake:latest AS checkmake
COPY --link --from=checkmake /checkmake /usr/bin/checkmake
I see your dockerfile is based on FROM golang:1.13 as builder and FROM alpine:3.11
Upgrading to latest goland and alpine ,then repblishing your image should do the job :)
@trinitronx i think i found the issue source :)
We're using your docker image to embed checkmake without MegaLinter
FROM mrtazz/checkmake:latest AS checkmake COPY --link --from=checkmake /checkmake /usr/bin/checkmake
Ah, that makes sense. The binary is built from an old base image & old version of go. So that would statically compile based on those toolchain dependency versions and embed the old go standard library into the binary. It's likely what the trivy scanning tool is picking up on.
I see your dockerfile is based on
FROM golang:1.13 as builderandFROM alpine:3.11Upgrading to latest goland and alpine ,then repblishing your image should do the job :)
I noticed this too after searching for instances of old go versions in the codebase, which found hardcoded versions in the .github workflows & Dockerfile. I updated the Dockerfile here, which should take care of that part. The rest is in #121, including the .github/workflows, go versions, and all the dependencies except the one API breakage from olekukonko/tablewriter, which needed to be held back at v0.0.5 for compatibility.
@trinitronx the docker image is still based on old go version
https://github.com/checkmake/checkmake/blob/c71a948ebc56c8d7ca7c562b8ec0f0a3ac713448/Dockerfile#L1
When do you plan to make an update and publish the new "latest" docker image ?
If it's soon, it will allow MegaLinter to embed checkmake in its next major release, otherwise we'll have to remove it :/
@nvuillam I do not currently have Collaborator (a.k.a. Maintainer) access to this repo. So, I'm unable to merge this on my own. Even if I did have access, if there are multiple OSS collaborators on a project, I'd generally prefer if someone could code review also prior to merging just to adhere to good engineering practices.
It looks like some talk about maintainership is currently happening in #44.
@trinitronx thanks for replying :) If there is no active maintenance, i think i'll disable checkmake in MegaLinter until it has :9
@mrtazz, @obnoxxx Most, if not all, of these specific security findings should be resolved after the most recent round of Dependabot PRs were merged. Any chance a 0.2.3 release could be cut along with a new latest Docker image?
Most, if not all, of these specific security findings should be resolved after the most recent round of Dependabot PRs were merged. Any chance a 0.2.3 release could be cut along with a new
latestDocker image?
@mrtazz, @obnoxxx Bumping the request for a new release, which I believe would effectively resolve this particular issue.