Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker scout security check reports an issue with satori/go.uuid #189

Closed
thbley opened this issue Oct 15, 2023 · 2 comments · Fixed by #190
Closed

Docker scout security check reports an issue with satori/go.uuid #189

thbley opened this issue Oct 15, 2023 · 2 comments · Fixed by #190

Comments

@thbley
Copy link

thbley commented Oct 15, 2023

Docker scout reports a security issue in satori/[email protected].
Maybe this library could be replaced with an alternative? (see satori/go.uuid#120)

To reproduce:

wget -qO- https://github.com/axllent/mailpit/releases/latest/download/mailpit-linux-amd64.tar.gz | tar xvz mailpit

docker scout cves fs://mailpit
    ✓ File system read
    ✓ Indexed 51 packages
    ✗ Detected 1 vulnerable package with 1 vulnerability

## Overview

                    │        Analyzed path         
────────────────────┼──────────────────────────────
  Target            │  fs://mailpit                
    vulnerabilities │    1C     0H     0M     0L   

## Packages and Vulnerabilities

   1C     0H     0M     0L  github.com/satori/go.uuid 1.2.0
pkg:golang/github.com/satori/[email protected]

    ✗ CRITICAL CVE-2021-3538
      https://scout.docker.com/v/CVE-2021-3538
      Affected range : <1.2.1-0.20181016170032-d91630c85102  
      Fixed version  : 1.2.1-0.20181016170032-d91630c85102   
    
1 vulnerability found in 1 package
  LOW       0  
  MEDIUM    0  
  HIGH      0  
  CRITICAL  1  

Thanks!

@axllent
Copy link
Owner

axllent commented Oct 15, 2023

Thanks for raising this issue. I'm surprised by this given that it was reported 2 years ago and still exists. I will look into a suitable replacement .

@axllent
Copy link
Owner

axllent commented Oct 16, 2023

This will be released in the next few hours 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants