We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When running a trivy scan on apisix-dashboard v3.0.1, it reported several CVEs on the depedencies. Is it possible to update those dependencies ?
apisix-dashboard
v3.0.1
apisix-dashboard-3.0.1$ trivy filesystem --vuln-type library . 2024-01-18T16:02:31.827Z INFO Vulnerability scanning is enabled 2024-01-18T16:02:31.827Z INFO Secret scanning is enabled 2024-01-18T16:02:31.827Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-01-18T16:02:31.827Z INFO Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection 2024-01-18T16:02:32.606Z INFO Number of language-specific files: 3 2024-01-18T16:02:32.606Z INFO Detecting gomod vulnerabilities... 2024-01-18T16:02:32.608Z INFO Detecting yarn vulnerabilities... api/go.mod (gomod) Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 2, CRITICAL: 0) ┌──────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/gin-gonic/gin │ CVE-2023-29401 │ MEDIUM │ 1.9.0 │ 1.9.1 │ golang-github-gin-gonic-gin: Gin Web Framework does not │ │ │ │ │ │ │ properly sanitize filename parameter of │ │ │ │ │ │ │ Context.FileAttachment... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29401 │ ├──────────────────────────┼─────────────────────┤ ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤ │ golang.org/x/crypto │ CVE-2023-48795 │ │ 0.5.0 │ 0.17.0 │ ssh: Prefix truncation attack on Binary Packet Protocol │ │ │ │ │ │ │ (BPP) │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48795 │ ├──────────────────────────┼─────────────────────┼──────────┼───────────────────┤ ├──────────────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2023-39325 │ HIGH │ 0.7.0 │ │ golang: net/http, x/net/http2: rapid stream resets can cause │ │ │ │ │ │ │ excessive work (CVE-2023-44487) │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │ │ ├─────────────────────┼──────────┤ ├────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-3978 │ MEDIUM │ │ 0.13.0 │ golang.org/x/net/html: Cross site scripting │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3978 │ │ ├─────────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-44487 │ │ │ 0.17.0 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │ │ │ │ │ │ │ to a DDoS attack... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │ ├──────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤ │ google.golang.org/grpc │ GHSA-m425-mq94-257g │ HIGH │ 1.47.0 │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability │ │ │ │ │ │ │ https://github.com/advisories/GHSA-m425-mq94-257g │ │ ├─────────────────────┼──────────┤ ├────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-44487 │ MEDIUM │ │ 1.58.3, 1.57.1, 1.56.3 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │ │ │ │ │ │ │ to a DDoS attack... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │ └──────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
Depdencies up to date
Run trivy scan on source code
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Issue description
When running a trivy scan on
apisix-dashboard
v3.0.1
, it reported several CVEs on the depedencies.Is it possible to update those dependencies ?
Expected behavior
Depdencies up to date
How to Reproduce
Run trivy scan on source code
The text was updated successfully, but these errors were encountered: