Out-of-date go libraries with multiple vulnerabilities

Question

Out-of-date go libraries with multiple vulnerabilities

Closed this issue 9 months ago · 2 comments

The go libraries used in the container are pretty old, and some of them have CVEs that have my InfoSec team rejecting the image for use. Can they be updated?

The specific libraries and CVEs are:

golang.org/x/net -
Installed Version: v0.0.0-20220225172249-27dd8689420f
CVEs: CVE-2022-27664, CVE-2022-41723, CVE-2023-39325, CVE-2023-3978, CVE-2023-44487
Looks like all of these are fixed by v0.17.0 or later.

golang.org/x/text -
Installed Version: v0.3.7
CVE: CVE-2022-32149
Looks like it is fixed in v0.3.8

Answer 1 · 2024-03-15T18:29:18.000Z

Sure! Probably just need to bump the ci go version.

Answer 2 · 2024-03-16T03:15:26.000Z

Give v0.5.6 a try and let me know if that scans any better.