Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Go Related CVEs Raised During Trivy Scanning Resolution Timeline by Upgrading Go #3768

Open
4 of 5 tasks
isaac-mercieca opened this issue May 13, 2024 · 1 comment
Open
4 of 5 tasks
Labels
bug Something is not working.

Comments

@isaac-mercieca
Copy link

isaac-mercieca commented May 13, 2024

Preflight checklist

Ory Network Project

No response

Describe the bug

Will the Go version of the project be updated to latest 1.22.3 to address CVEs such as https://avd.aquasec.com/nvd/2023/cve-2023-45289/. I see Go on version 1.21 in the latest Hydra version v2.2.0. CVEs like this one are being raised during Trivy scanning on the Hydra binaries present in the docker image. Would this be in the next release and would you happen to know the timeline for that release?

Reproducing the bug

Run Trivy scan on Hydra image.

Relevant log output

No response

Relevant configuration

No response

Version

2.2.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

Docker

Additional Context

None

@isaac-mercieca isaac-mercieca added the bug Something is not working. label May 13, 2024
@mig5
Copy link
Contributor

mig5 commented Jul 3, 2024

Any movement on this?

I feel like it's not enough to just cut a Docker image release when you release new versions of Hydra.. if it bundles 3rd party dependencies that have their own security vulnerabilities, it'd be great if Ory made routine new Docker images even if the Hydra version itself isn't changing. Other open source projects often work this way, in the containerized world we now live in.

I appreciate it's added burden for the maintainers, but it's good for the community :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something is not working.
Projects
None yet
Development

No branches or pull requests

2 participants