Found security vulnerabilities in go 1.16

[abhi-vaidya]

keda/go.mod

Line 3 in f78c16e

go 1.16

Hello,

We are using this repository for internal development and security appliance scan found severe vulnerabilities in go 1.16.
https://nvd.nist.gov/vuln/detail/CVE-2021-29923. Which is being fixed in go 1.17. Is there any plan to update it to go 1.17.

[zroubalik]

@abhi-vaidya thanks for reporting this. We have just updated go from 1.15 -> 1.16 for the upcoming release.

As per this golang/go#30999 (comment) the situation is not nearly so clear cut. So I am leaning towards not to the update now but keep it open for some subsequent releases. So we don't do the update from 1.15->1.17 in one release.

Is there any particular problem that you are facing with this CVE?

[abhi-vaidya]

@zroubalik would you be able to provide eta on updating go version to 1.17 please. Our security scanner has reported that it is a high level risk so we need to update it to 1.17 as soon as possible.

[zroubalik]

@abhi-vaidya we are planning to release KEDA 2.5.0 tomorrow (currently go 1.16). Then next release is at the moment scheduled to February 2022. You can check milestones: https://github.com/kedacore/keda/milestones