Update go to 1.23.1 for fixing High vulnerability #632
Conversation
jdesouza
changed the title
|
@06kellyjac would you mind taking a look at this PR? |
|
@sublimino any chance for reviewing this? |
|
Thanks for the ping @jdesouza we'll test and release this 👍 |
|
Hi @jdesouza! We looked at this and GHSA-crqm-pwhx-j97f does not affect Kubesec according to govulncheck's analysis of the code:
We'll merge this anyway but we may wait to release, unless this is causing a specific issue? |
We are getting the vuln reported by trivy |
|
Thanks. Yeah I asked for the aqua team to integrate govulncheck a long while ago because you can end up with a lot of false positives importing x/net or anything kubernetes. They said they're going to lean into VEX and that you should be able to generate a VEX output from govulncheck first and feed it into trivy (not always easy, I know) Doing an upadte now |
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-34156 │ HIGH │ fixed │ 1.23.0 │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156