saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard
verified publisher icon Versent

Trivy vulnerability scanner finds outdated library in saml2aws v.2.30.0

Open Stanislava27-zz opened this issue 4 years ago • 2 comments

One of my images includes saml2aws v.2.30.0. But Trivy finds outdated dependencies after the installation. image

Do you know when it is going to be updated?

Thank you :)

Stanislava27-zz avatar May 20 '21 08:05 Stanislava27-zz

Current version is github.com/tidwall/gjson v1.8.1

https://github.com/Versent/saml2aws/blob/master/go.mod#L33

gliptak avatar Aug 26 '21 15:08 gliptak

There is a new CVE-2021-42836 on the same library. Fixed version is 1.9.3

Snyk scan output

Testing /tmp/codes/saml2aws...

✗ High severity vulnerability found in github.com/tidwall/gjson
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTIDWALLGJSON-1766963
  Introduced through: github.com/tidwall/[email protected]
  From: github.com/tidwall/[email protected]
  Fixed in: 1.9.3

Package manager:   gomodules
Target file:       go.mod
Project name:      github.com/versent/saml2aws/v2
Open source:       no
Project path:      /tmp/codes/saml2aws
Licenses:          enabled

Tested 100 dependencies for known issues, found 1 issue, 1 vulnerable path.`

tony-flatiron avatar Dec 14 '21 17:12 tony-flatiron

Closing this issue as the current go.mod is using v1.17.0 https://github.com/Versent/saml2aws/blob/f183682460a430642782e958feb8473941a07fbe/go.mod#L25

tinaboyce avatar Dec 04 '23 13:12 tinaboyce