Skip to content

fix Twistlock scans as of 2024-12-20 #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dewey merged 1 commit into from
Dec 20, 2024
Merged

fix Twistlock scans as of 2024-12-20 #144

dewey merged 1 commit into from
Dec 20, 2024

Conversation

@wanix
Copy link
Contributor

@wanix wanix commented Dec 20, 2024
edited
Loading

Proposing some security fixes and updates:

Dockerfile

update to latest alpine

Version

update to 0.5.9

Fixes

I fixed the following errors by updating dependencies and Alpine:

+----------------+----------+------+-----------------------+-----------+--------------------+-----------+------------+------------+----------------------------------------------------+-------------------+
|      CVE       | SEVERITY | CVSS |        PACKAGE        |  VERSION  |       STATUS       | PUBLISHED | DISCOVERED | GRACE DAYS |                    DESCRIPTION                     | TRIGGERED FAILURE |
+----------------+----------+------+-----------------------+-----------+--------------------+-----------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2024-45338 | high     | 0.00 | golang.org/x/net/html | v0.29.0   | fixed in 0.33.0    | 1 days    | < 1 hour   | 13         | An attacker can craft an input to the Parse        | No                |
|                |          |      |                       |           | 1 days ago         |           |            |            | functions that would be processed non-linearly     |                   |
|                |          |      |                       |           |                    |           |            |            | with respect to its length, resulting in extremely |                   |
|                |          |      |                       |           |                    |           |            |            | slow par...                                        |                   |
+----------------+----------+------+-----------------------+-----------+--------------------+-----------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2024-9681  | medium   | 6.50 | curl                  | 8.10.1-r0 | fixed in 8.11.0-r0 | 44 days   | < 1 hour   | -14        | When curl is asked to use HSTS, the expiry time    | Yes               |
|                |          |      |                       |           | 43 days ago        |           |            |            | for a subdomain might overwrite a parent domain\'s |                   |
|                |          |      |                       |           |                    |           |            |            | cache entry, making it end sooner or later than    |                   |
|                |          |      |                       |           |                    |           |            |            | oth...                                             |                   |
+----------------+----------+------+-----------------------+-----------+--------------------+-----------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2024-11053 | low      | 0.00 | curl                  | 8.10.1-r0 | fixed in 8.11.1-r0 | 9 days    | < 1 hour   | 92         | A flaw was found in curl. A logic error when       | No                |
|                |          |      |                       |           | 8 days ago         |           |            |            | processing credentials from the .netrc file        |                   |
|                |          |      |                       |           |                    |           |            |            | while performing redirects allows the transfer of  |                   |
|                |          |      |                       |           |                    |           |            |            | credentials...                                     |                   |
+----------------+----------+------+-----------------------+-----------+--------------------+-----------+------------+------------+----------------------------------------------------+-------------------+

Tested by using my generated image (on RDS PostgreSQL): docker.io/wanix/sql_exporter:v0.5.9
(no problem detected by Twistlock with this image also)

@wanix
Copy link
Contributor Author

wanix commented Dec 20, 2024

Files modified:

I did the manual changes on:

  • Dockerfile (Alpine version for curl)
  • go.mod (for golang.org/x/net/html)
  • VERSION

Then:

go get
go mod tidy
go mod vendor

OgunOzyurek
OgunOzyurek approved these changes Dec 20, 2024
View reviewed changes
Copy link

@OgunOzyurek OgunOzyurek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dewey dewey merged commit 12bc92e into justwatchcom:master Dec 20, 2024
1 check passed
@dewey
Copy link
Member

dewey commented Dec 20, 2024

Looks good, thanks. Will push a new image.

@wanix wanix deleted the twistlock-scans-fixes-20241220 branch December 20, 2024 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@OgunOzyurek OgunOzyurek OgunOzyurek approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wanix @dewey @OgunOzyurek