Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities found in skaffold v2.10.1 binary (2 critical) #9335

Closed
elizabethbarkett opened this issue Mar 12, 2024 · 3 comments
Closed

Vulnerabilities found in skaffold v2.10.1 binary (2 critical) #9335

elizabethbarkett opened this issue Mar 12, 2024 · 3 comments

Comments

@elizabethbarkett
Copy link

Version affected: v2.10.1
While working on reducing vulnerabilities in our internal tooling, we noticed that the skaffold binary has 2 critical vulnerabilities that stem from moby/buildkit.

Steps:
Vulnerabilities were found by running:

govulncheck -mode=binary -show verbose /home/linuxbrew/.linuxbrew/bin/skaffold

go 1.21.6 should also be updated to >=1.21.8 to resolve multiple stdlib vulnerabilities

Dependencies affected:
github.com/moby/buildkit

github.com/containerd/containerd

github.com/sigstore/cosign/v2

github.com/cloudflare/circl

google.golang.org/protobuf
@elizabethbarkett
Copy link
Author

This MR exists for updating moby/buildkit; looks like it will take a little work to get tests passing

@elizabethbarkett
Copy link
Author

The cloudflare/circl MR looks good to go on approval which will resolve the high vulnerability listed above.

@elizabethbarkett
Copy link
Author

moby/buildkit updated in main, closing issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@elizabethbarkett