Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical CVE on goss #941

Closed
ikheifets-splunk opened this issue Jun 25, 2024 · 11 comments
Closed

Critical CVE on goss #941

ikheifets-splunk opened this issue Jun 25, 2024 · 11 comments
Labels

Comments

@ikheifets-splunk
Copy link
Contributor

ikheifets-splunk commented Jun 25, 2024

Describe the bug
Critical CVE on goss

Screenshot 2024-06-25 at 10 19 11

How To Reproduce
Use trivy to detect CVE, in our case it's has been detected on CI

Expected Behavior
Haven't CVE

Actual Behavior
CVE

Environment:

  • Version of goss: 0.4.7
  • OS/Distribution version: alpine 3.18.6
@aelsabbahy
Copy link
Member

@dklimpel this is a good opportunity to test the new trivy pipeline. Is it possible to reproduce this finding in the goss CI?

@dklimpel
Copy link
Contributor

You should be able to run the workflow manually: https://github.com/goss-org/goss/actions/workflows/docker-goss.yaml

But it probably won't find anything because the workflow creates a new build and the affected dependency seems to be indirect.

@aelsabbahy
Copy link
Member

Hmm, I wonder if it makes sense to have daily (or weekly) trivy run on the last published image?

@dklimpel
Copy link
Contributor

dklimpel commented Jul 3, 2024

I think latest tagged release, not latest image.

@rjha-splunk
Copy link

Any update on this bug ? @dklimpel @aelsabbahy

@ikheifets-splunk
Copy link
Contributor Author

@aelsabbahy @dklimpel I prepared PR with updating go version, because CVE located in stdlib

@aelsabbahy
Copy link
Member

Sorry for the delay on this. It seems there's some issues with CI. Still trying to debug.

oddly the working commit and the failing commit are exactly the same, so not sure if something changed on travis-ci or if there's another factor at play (e.g. docker test image caching).

@aelsabbahy
Copy link
Member

Update: Found the issue, I believe I merged in a fix. Unfortunately, I ran out of travis-ci OSS credits again, waiting on travis-ci to respond.

These issues will go away once the migration to GHA is complete. This is probably going to be the last release on the travis-ci workflow.

@ikheifets-splunk
Copy link
Contributor Author

ikheifets-splunk commented Jul 18, 2024

@aelsabbahy thanks, no problem, sometimes such things happenings

@aelsabbahy
Copy link
Member

aelsabbahy commented Jul 19, 2024

Just cut a new release, please confirm the CVE is gone and we can close out this ticket.

Many thanks for reporting this issue and contributing the fix!

Sorry this took a little while, the whole CI story is in a bit of a transition.

@ikheifets-splunk
Copy link
Contributor Author

@aelsabbahy thanks so much, I tested update on 0.4.8 and it's fixing this Critical CVE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants