atlantis icon indicating copy to clipboard operation
atlantis copied to clipboard

Published 20 hours ago verified publisher icon runatlantis

GO vulns present in multiple locations in atlantis image

Open richgerrard opened this issue 1 year ago • 1 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

Vulnerability scanners looking at the latest atlantis image 0.25.0 reveal 5 versions of go installed at different paths. image Only /usr/local/bin/atlantis and /usr/local/bin/terraform are at high enough versions of go to pass vulnerability scans. The go vulns present in the other three paths require an upgrade of those components, or we cannot deploy this tool. image

Reproduction Steps

Download the atlantis:latest (atlants:0.25.0) image locally and scan it with your favourite vulnerability scanner. All the go vulns will light up like a stop light.

Logs

N/A

Environment details

  • Atlantis version: 0.25.0
  • Deployment method: n/a
  • If not running the latest Atlantis version have you tried to reproduce this issue on the latest version: n/a
  • Atlantis flags: n/a

Atlantis server-side config file: n/a

Repo atlantis.yaml file: n/a

Any other information you can provide about the environment/deployment (efs/nfs, aws/gcp, k8s/fargate, etc)

Additional Context

https://nvd.nist.gov/vuln/detail/CVE-2023-29400 https://nvd.nist.gov/vuln/detail/CVE-2023-29402 https://nvd.nist.gov/vuln/detail/CVE-2023-29403 https://nvd.nist.gov/vuln/detail/CVE-2023-29404 https://nvd.nist.gov/vuln/detail/CVE-2023-29405 https://nvd.nist.gov/vuln/detail/CVE-2023-39533 https://nvd.nist.gov/vuln/detail/CVE-2023-24534 https://nvd.nist.gov/vuln/detail/CVE-2023-24536 https://nvd.nist.gov/vuln/detail/CVE-2023-24537 https://nvd.nist.gov/vuln/detail/CVE-2023-24538 https://nvd.nist.gov/vuln/detail/CVE-2023-24539 https://nvd.nist.gov/vuln/detail/CVE-2023-24540 etc...

richgerrard avatar Aug 23 '23 13:08 richgerrard

I'd like to enriche this issue with some already fixed critical dependencies which are still missing in the Image of Atlantis:

image The moby/buildkit maintainers took care and released a fix for their current CVE's in version 0.12.5:

for reproduction the list of fixed vulnerabilities I recommend: docker scout cves runatlantis/atlantis:latest --only-severity critical --only-fixed

dbalucas avatar Feb 07 '24 12:02 dbalucas