You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dear Team Members:
Greetings! Our team is very interested in your project. we performed source code perspective security analysis (SCA) and vulnerability library association analysis on this project and found that components with vulnerabilities are still being used into this project.We would like to report this issue to you,so that you can fix and improve it accordingly. I add the details in json file below. Please confirm whether this problem really exists and confirm with us. Looking forward to hearing from you and discussing more details with us, thank you very much for your time and attention.
Note: Each "affect_components" field in the report represents the vulnerable component introduced by this project. The other is the vulnerability information associated with it.
Please see https://prometheus.io/docs/operating/security/#automated-security-scanners -- most scanners do not generate good results and just cause us more work, we keep dependencies up-to-date and do regular releases, so it's very unlikely a CVE from 2022 will still affect a recent Prometheus release (you didn't actually mention what version you used).
This scanner seems particularly bad, it finds a CVE where the description says "Fixed in 1.9.17, 1.10.10, and 1.11.5." and also extracts the package and version number pkg:golang/github.com/hashicorp/consul/api@v1.28.2 -- just reading the report is enough to see the scanner is plain wrong. (hashicorp/consul@3b44343 is the fix commit which shows the tags if you want to double check).
What did you do?
Dear Team Members:
Greetings! Our team is very interested in your project. we performed source code perspective security analysis (SCA) and vulnerability library association analysis on this project and found that components with vulnerabilities are still being used into this project.We would like to report this issue to you,so that you can fix and improve it accordingly. I add the details in json file below. Please confirm whether this problem really exists and confirm with us. Looking forward to hearing from you and discussing more details with us, thank you very much for your time and attention.
Note: Each "affect_components" field in the report represents the vulnerable component introduced by this project. The other is the vulnerability information associated with it.
Qiyu Hou
prometheus-main_report.json
What did you expect to see?
No response
What did you see instead? Under which circumstances?
None
System information
No response
Prometheus version
No response
Prometheus configuration file
No response
Alertmanager version
No response
Alertmanager configuration file
No response
Logs
No response
The text was updated successfully, but these errors were encountered: