[BUG] What to do regarding Security Warnings
gabo1208 opened this issue · 5 comments
gabo1208 commented
xtreme-sameer-vohra commented
Thanks for flagging this @gabo1208
Does sources-for-knative
allow an arbitrary user to define URLs used with go-retryablehttp
? That would raise the exposure according to https://cwe.mitre.org/data/definitions/117.html
From a quick glance, I don't see an upstream issue/patch in https://github.com/hashicorp/go-retryablehttp so it might be worth raising this upstream.
embano1 commented
It's a transitive dependency in vendor/knative.dev/eventing/pkg/kncloudevents/message_sender.go
. Looks like we are not seeing this in other kn repos then?