testcontainers-go
testcontainers-go copied to clipboard
Published
20 hours ago •
testcontainers
testcontainers
[Bug]: Vulnerability Report: GO-2023-1621
Testcontainers version
0.19.0
Using the latest Testcontainers version?
Yes
Host OS
Linux
Host arch
ARM
Go version
1.20
Docker version
20.10.13
Docker info
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.8.1)
compose: Docker Compose (Docker Inc., v2.3.3)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 8
Server Version: 20.10.13
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 2a1d4dbdb2a1030dc5b01e96fb110a9d9f150ecc
runc version: v1.0.3-0-gf46b6ba
init version: de40ad0
Security Options:
seccomp
Profile: default
cgroupns
Kernel Version: 5.10.104-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 7.667GiB
Name: docker-desktop
ID: O6RA:BAA5:FBCA:IOWG:EDNE:XUAN:GSTB:HCOV:YOH7:QB53:XGHO:L3XP
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5000
127.0.0.0/8
Live Restore Enabled: false
What happened?
A new vulnerability was found in the crypto dependency, which is used by testcontainers!
I strongly recommend bumping that dependency, as SonarQube and other tools do not let pipelines through!
Vulnerability #1: GO-2023-1621
The ScalarMult and ScalarBaseMult methods of the P256 Curve may
return an incorrect result if called with some specific
unreduced scalars (a scalar larger than the order of the curve).
This does not impact usages of crypto/ecdsa or crypto/ecdh.
More info: https://pkg.go.dev/vuln/GO-2023-1621
Standard library
Found in: crypto/internal/[email protected]
Fixed in: crypto/internal/[email protected]
Relevant log output
Vulnerability #1: GO-2023-1621
The ScalarMult and ScalarBaseMult methods of the P256 Curve may
return an incorrect result if called with some specific
unreduced scalars (a scalar larger than the order of the curve).
This does not impact usages of crypto/ecdsa or crypto/ecdh.
More info: https://pkg.go.dev/vuln/GO-2023-1621
Standard library
Found in: crypto/internal/[email protected]
Fixed in: crypto/internal/[email protected]
Additional information
https://pkg.go.dev/vuln/GO-2023-1621
