Anchore Go Library - Vulnerabilities - Update code to allow unpinning of versions. #637
Comments
|
So it looks like what's needed is somebody to investigate/fix the problems caused by the breaking changes before we can unpin the versions./ |
mhdawson
changed the title
|
@srisek I know its been a long time, but if this is still on your radar, any help in figuring out what other changes are needed to go along with the unpining would help move it along. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Our org is using the Jammy base builder and base runner with the latest version in my CI tool to perform builds and got the below Critical/High security vulnerabilities identified by the scanning tool for the npm-install build pack.
Impacted Layer : /layers/paketo-buildpacks_npm-install/launch-modules/exec.d/0-setup-symlinks
CVE-2022-28346
CVE-2022-28347
CVE-2022-34265
CVE-2023-31047
CVE-2021-45115
CVE-2021-45116
CVE-2022-23833
CVE-2022-36359
CVE-2022-41323
The recommended fix is to updated to version github.com/anchore/syft 0.89.0 and could see references of version 0.80.0 in the go dependencies used by the npm-install build pack.
https://github.com/paketo-buildpacks/npm-install/blob/main/go.mod#L33C2-L33C45
Can this be updated to the version – 0.89.0?
Impacted Layer: /layers/paketo-buildpacks_npm-install/launch-modules/exec.d/0-setup-symlinks
Installed Resource: github.com/anchore/stereoscope 0.0.0-20230412183729-8602f1afc574
CVE-2024-24579
Recommended Fix: Upgrade package github.com/anchore/stereoscope to version 0.0.1 or above.
We did notice that the underlying npm-install buildpack is using 0.0.1 in the dependency, but also getting replaced with version v0.0.0-20230412183729-8602f1afc574
https://github.com/paketo-buildpacks/npm-install/blob/main/go.mod#L159C80-L159C115
Request any guidance or help in getting these addressed with your team’s help.
The text was updated successfully, but these errors were encountered: