Cut a new release of this provider #327
Comments
|
Hey there @aochsner 👋🏻 , do you mind sharing the reports or the dependencies related to the CVEs? We can push a new release with no functional changes but want to ensure we're resolving the CVEs you're seeing. |
austinvalle
added
the
waiting-response
|
I can't share directly but it's go-git prior to v5.11 (current release
pulls in v5.10.1 via some other dependency). Looks like current version in
go.sum is v5.12.0 so I believe that would address it.
https://nvd.nist.gov/vuln/detail/CVE-2023-49569
[image: SCR-20240524-lhrz.png]
…On Fri, May 24, 2024 at 12:17 PM Austin Valle ***@***.***> wrote:
Hey there @aochsner <https://github.com/aochsner> 👋🏻 , do you mind
sharing the reports or the dependencies related to the CVEs? We can push a
new release with no functional changes but want to ensure we're resolving
the CVEs you're seeing.
—
Reply to this email directly, view it on GitHub
<#327 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABWL6P6FDZCNKX6AUH5T2LZD5YYXAVCNFSM6AAAAABIH4SNGSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZQGAZDKNJRGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
github-actions
bot
removed
the
waiting-response
|
|
|
Hi @aochsner 👋 (and other future readers), Thanks for that additional context. I'm not on the HashiCorp security team, but I wanted to give some additional information about this particular scanner report. For official security disclosures/responses from the security team, please refer to https://www.hashicorp.com/trust/security. The $ ❯ go mod why -m 'github.com/go-git/go-git/v5'
# github.com/go-git/go-git/v5
github.com/hashicorp/terraform-provider-time/internal/provider
github.com/hashicorp/terraform-provider-time/internal/provider.test
github.com/hashicorp/terraform-plugin-testing/helper/resource
github.com/hashicorp/terraform-exec/tfexec
github.com/hashicorp/terraform-exec/tfexec.test
github.com/hashicorp/terraform-exec/tfexec/internal/testutil
github.com/hashicorp/hc-install/build
github.com/go-git/go-git/v5Unfortunately a lot of security scanners cannot have code-level context on why or how a dependency is being used or not, but the reality is that many compliance officers need to rely these reports as given. So for anyone who may see references to this dependency or CVE number in relation to this provider codebase (and potentially others in the provider ecosystem), I just wanted to help alleviate any sort of urgency to upgrade. I have created hashicorp/terraform-plugin-testing#347 in the provider testing Go module to consider removing the functionality that causes this dependency to appear in provider codebases to reduce security scanning reports like these. As @austinvalle mentioned though, we can/will cut a fresh provider release to help remove this particular scanner report for now. 👍 |
|
Hi @bflad! Thanks for that explanation; it makes a lot of sense. This would probably be enough justification for an exception TBH, but sounds like a new release will also happen which will probably be easier to get through than the exception route. But if anything new pops up I will look to y'all for that sort of context if needed. Appreciate the quick responses! |
|
|
Terraform CLI and Provider Versions
1.8.4 & 0.11.1
Use Cases or Problem Statement
https://discuss.hashicorp.com/t/cut-a-new-hashicorp-time-provider-release/67314
Proposal
I'm not sure if this is the right place but also posted in the discussion forums.
How much impact is this issue causing?
High
Additional Information
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: