Multiple CVEs reported by Trivy scan tool for V4.45.4

[Kisan-hpe]

The listed CVEs for V4.45.4 includes HIGH.

Total: 3
Severity Breakdown: UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0

Library	Vulnerability	Severity	Status	Installed Version	Fixed Version	Title
stdlib	CVE-2025-22874	HIGH	fixed	1.24.3	1.23.10, 1.24.4	crypto/x509: Usage of ExtKeyUsageAny disables policy validation in crypto/x509
stdlib	CVE-2025-0913	MEDIUM	—	—	—	Inconsistent handling of `O_CREATE
stdlib	CVE-2025-4673	MEDIUM	—	—	—	Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin requests

[sascha-krug]

+1 from me, this issue is breaking our trivy scans. (To fix the scan we are skipping high issues for now)

[roozeec]

Hi, it seems the problem is the golang version which is used to build yq, I added this in my Dockerfile :

FROM golang:tip-alpine3.22 AS yqbuilder
RUN apk add --no-cache git
WORKDIR /app
RUN git clone https://github.com/mikefarah/yq.git .
RUN go build -o yq ./yq.go

then use it from the image build which use yq : COPY --from=yqbuilder /app/yq /usr/local/bin/yq

The trivy reports no error for yq :