CVE hits on latest release

Question

CVE hits on latest release

Closed this issue 3 months ago · 3 comments

Hello my organization has been using this packer plugin but our cyber scans are hitting on "High" rated vulnerabilities. Is this something that can be patched, or if these are false positives can you explain why? Appreciate any assistance

./packer/plugins/github.com/ethanmdavidson/git/packer-plugin-git_v0.6.1_x5.0_linux_amd64
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
stdlib go1.19.13 go-module CVE-2023-45287 High
stdlib go1.19.13 go-module CVE-2023-45285 High
stdlib go1.19.13 go-module CVE-2023-44487 High
stdlib go1.19.13 go-module CVE-2023-39323 High

Answer 1 · 2024-02-29T20:25:26.000Z

Hi! Thanks for bringing this to my attention. At a first glance I think these CVEs probably don't affect this plugin, since it doesn't make any network calls. However, fixing the CVEs might be as simple as upgrading to go 1.20, so I might just fix it anyway. I should have time to take a deeper look by the end of next week.

Answer 2 · 2024-03-01T03:16:12.000Z

I've released v0.6.2 which upgrades go to 1.21 and upgrades many other dependencies as well. Please try it out and let me know if this issue is resolved or not.

Answer 3 · 2024-03-01T15:38:33.000Z

I've released v0.6.2 which upgrades go to 1.21 and upgrades many other dependencies as well. Please try it out and let me know if this issue is resolved or not.

This update does appear to resolve the issue. Really appreciate it!