Bump github.com/go-jose/go-jose to v3.0.3 to fix CVE-2024-28180 #6854
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This should fix the failing trivy tests in test grid which are reporting that cert-manager controller is vulnerable to https://avd.aquasec.com/nvd/2024/cve-2024-28180/:
We think this is a false positive, because the cert-manager controller does not handle JWE.
and because
govulncheck
reports that the controller is not vulnerable to this issue:Nevertheless, we are updating the module for the sake of silencing the trivy alerts in our repo and of any of our users.
I ran the following commands to update the go-jose module:
/kind cleanup