Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Twistlock scans reporting CVE #16232

Closed
automagic opened this issue May 20, 2024 · 3 comments
Closed

Twistlock scans reporting CVE #16232

automagic opened this issue May 20, 2024 · 3 comments
Assignees
@justinvp
Labels
impact/security kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Milestone
0.105

Comments

@automagic
Copy link

What happened?

Twistlock scans of our container images that contain Pulumi CLI started to report following vulnerabilities: GO-2024-2824( https://pkg.go.dev/vuln/GO-2024-2824 ) and GO-2024-2631( https://pkg.go.dev/vuln/GO-2024-2631 ) . We rebuild our base images daily with latest .NET base images and latest Pulumi CLI

Example

image

Output of pulumi about

CLI
Version 3.116.1
Go Version go1.22.2
Go Compiler gc

Host
OS debian
Version 12.5
Arch x86_64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@automagic automagic added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels May 20, 2024
@justinvp justinvp added impact/security and removed needs-triage Needs attention from the triage team labels May 21, 2024
@justinvp
Copy link
Member

The next release of Pulumi will be built with Go 1.22.3, which will address https://pkg.go.dev/vuln/GO-2024-2824.

Investigating upgrading go-jose.

@justinvp justinvp added this to the 0.105 milestone May 21, 2024
@justinvp justinvp self-assigned this May 21, 2024
@justinvp justinvp mentioned this issue May 21, 2024
Merged
@justinvp
Copy link
Member

#16239 upgrades go-jose to a patched version.

github-merge-queue bot pushed a commit that referenced this issue May 21, 2024
@justinvp
chore: Upgrade gocloud.dev/secrets/hashivault (#16239)
769428f 
Upgrade `gocloud.dev/secrets/hashivault` to the latest version,
`v0.37.0`, which also matches the `gocloud.dev` version we depend on.

This replaces the indirect dependency on `gopkg.in/square/go-jose.v2`
`v2.6.0`, which has a vulnerability (see
https://pkg.go.dev/vuln/GO-2024-2631), with v3.0.3, which addresses the
vulnerability.

Part of #16232
@justinvp justinvp added the resolution/fixed This issue was fixed label May 25, 2024
@justinvp
Copy link
Member

This has been addressed with the release of v3.117.0, which is rolling out now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justinvp justinvp

Labels
impact/security kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Projects
None yet
Milestone
0.105
Development

No branches or pull requests
2 participants
@justinvp @automagic