CVE hits on latest release
Closed this issue · 3 comments
Hello my organization has been using this packer plugin but our cyber scans are hitting on "High" rated vulnerabilities. Is this something that can be patched, or if these are false positives can you explain why? Appreciate any assistance
./packer/plugins/github.com/ethanmdavidson/git/packer-plugin-git_v0.6.1_x5.0_linux_amd64
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
stdlib go1.19.13 go-module CVE-2023-45287 High
stdlib go1.19.13 go-module CVE-2023-45285 High
stdlib go1.19.13 go-module CVE-2023-44487 High
stdlib go1.19.13 go-module CVE-2023-39323 High
Hi! Thanks for bringing this to my attention. At a first glance I think these CVEs probably don't affect this plugin, since it doesn't make any network calls. However, fixing the CVEs might be as simple as upgrading to go 1.20, so I might just fix it anyway. I should have time to take a deeper look by the end of next week.
I've released v0.6.2 which upgrades go to 1.21 and upgrades many other dependencies as well. Please try it out and let me know if this issue is resolved or not.