kubegres icon indicating copy to clipboard operation
kubegres copied to clipboard
verified publisher icon reactive-tech

CVEs in latest version

Open M4tteoP opened this issue 2 years ago • 3 comments

Hi there, The following CVEs have been reported by scanning kubegres:

Severity CVE Package Fix
HIGH PRISMA-2022-0227 github.com/emicklei/go-restful/v3 v3.9.0 -> v3.10.0
HIGH CVE-2023-44487 golang.org/x/net v0.13.0 -> v0.17.0
HIGH CVE-2023-39325 golang.org/x/net/http2 v0.13.0 -> v0.17.0

It would be great to update the mentioned dependencies and fix them, I'm opening a PR to fix this issue.

M4tteoP avatar Mar 26 '24 11:03 M4tteoP

Thank you. I will upgrade Kubegres to the latest version of Kubebuilder which should fix the CVEs. I am just waiting on them to release a new version which should be soon.

alex-arica avatar Mar 26 '24 12:03 alex-arica

Thanks @alex-arica! Please, feel free to close the just opened PR if you are already addressing it in other ways!

M4tteoP avatar Mar 26 '24 12:03 M4tteoP

Considering the average release cycle of Kubebuilder is 3 months, the next release should happen by the 30th April. Perhaps it would be a long wait.

I will check your PR this week and run it against all acceptance tests.

alex-arica avatar Mar 26 '24 12:03 alex-arica