Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is this project affected by go-restful vulnerability PRISMA-2022-0227? #1312

Open
brasstax opened this issue Aug 30, 2023 · 2 comments
Open

Is this project affected by go-restful vulnerability PRISMA-2022-0227? #1312

brasstax opened this issue Aug 30, 2023 · 2 comments
Labels
help wanted Feature requests approved by maintainers that are not included in the project roadmap security

Comments

@brasstax
Copy link

Hello,

Sealed Secrets currently uses package github.com/emicklei/go-restful/v3 version v3.9.0. In the ticket emicklei/go-restful#521, there is a vulnerability for PRISMA-2022-0227, reported by Twistlock. Do you know if this project if affected by this vulnerability, and is it possible to bump this to v3.10.1+?

Thank you!
@brasstax brasstax added the triage Issues/PRs that need to be reviewed label Aug 30, 2023
@alvneiayu
Copy link
Collaborator

alvneiayu commented Sep 7, 2023
edited

hi @brasstax
This is an indirect dependency. The library affected is used by client-go@v0.28.1 and code-generator@v0.28.1. We are using Trivy to analyze our PRs and we are detecting 0 vulnerabilities (it is checking the direct libraries). Dependabot is not reporting also any vulnerability.

If you want to create a PR bumping it but we will analyze it really carefully because again, this library is an indirect library and maybe it will generate any impact.

Thanks a lot
Álvaro

@alvneiayu alvneiayu added help wanted Feature requests approved by maintainers that are not included in the project roadmap security and removed triage Issues/PRs that need to be reviewed labels Sep 7, 2023
@brasstax
Copy link
Author

Got it, thanks. It looks like client-go is unaffected (kubernetes/client-go#1254), and it looks like code-generator@v0.29.0 does bump it, but that's currently in alpha.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Feature requests approved by maintainers that are not included in the project roadmap security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brasstax @alvneiayu