[bug]: CVE in codebase

[shivamsouravjha]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

• There are some vulnerabilities because of dependencies which can be viewed through Red Hat Dependency Analytics

Steps to reproduce

• Install Red Hat extension on VSCode.
• Open go.mod file, the RHDA(Red Hat Dependency Analytics) would analyse and then show the report.
• Click on the pop-up to view the analytics

Environment

None

Version

Cloud

Repository

keploy

[aerowisca]

seems the CVE was due to an older dependency of docker .
go: upgraded github.com/docker/docker v24.0.4+incompatible => v26.1.1+incompatible
This solves the issue but i hope we are not dependent on particular version for any specific task ? @shivamsouravjha

[shivamsouravjha]

nope we're not dependent on any particular docker version, but if we were to upgrade the docker version me must insure that any feature we use isn't downgraded.

[jaiakash]

Hi @shivamsouravjha @Swpn0neel, running the RHDA extension in the latest version of Kelpoy gives two errors.

The CVSS score is around 5.3 and 6.9. For the fix, I tried upgrading the libraries manually, which solved the issue (it also updated some other dependencies).

I don't know if that's the correct way to solve the issue, as it will require testing deployment with new dependencies.

Could you guide me for this issue? Thanks

[shivamsouravjha]

@jaiakash that's the only way out of this issue. Feel free to raise a PR for this and also add a security check in pipeline as to avoid any future issues.

[jaiakash]

@shivamsouravjha Thanks for clarification. You can assign this issue to me.
After upgrading the dependencies, i will add test for it in pipeline. I will raise PR for same.

[jaiakash]

Hi @shivamsouravjha @Swpn0neel i have added draft PR and need some guidance on that. Please checkout #2137