Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve golang gh CLI CVE-2024-34158 #2582

Closed
coilysiren opened this issue Oct 25, 2024 · 2 comments
Closed

Resolve golang gh CLI CVE-2024-34158 #2582

coilysiren opened this issue Oct 25, 2024 · 2 comments
Assignees
@coilysiren

Comments

@coilysiren
Copy link
Collaborator

Summary

first found here: #2572

Acceptance criteria

\
@coilysiren coilysiren mentioned this issue Oct 28, 2024
Merged
@coilysiren
Copy link
Collaborator Author

coilysiren commented Oct 28, 2024
edited
Loading

The vulnerability is in the Github CLI here: https://github.com/cli/cli/blob/trunk/go.mod#L5

The fix is shown here: https://github.com/HHS/simpler-grants-gov/actions/runs/11558432017/job/32170953451?pr=2606 eg. upgrading golang to at least 1.23.1

it is currently at

go 1.22.5

toolchain go1.22.6

coilysiren added a commit that referenced this issue Oct 28, 2024
@coilysiren
[Issue #2582] Ignore CVEs in upstream golang CLI (#2606)
ff57a80 
## Summary

Relates to #2582

### Time to review: __1 mins__

## Changes proposed

Ignores the CVE originally found in
#2572
@coilysiren coilysiren self-assigned this Nov 7, 2024
@coilysiren coilysiren moved this from Todo to Icebox in Simpler.Grants.gov Product Backlog Nov 12, 2024
@coilysiren
Copy link
Collaborator Author

Superseded by #2590

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@coilysiren coilysiren

Labels
None yet
Projects
Simpler.Grants.gov Product Backlog
Status: Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@coilysiren