ApplicationInsights-Go icon indicating copy to clipboard operation
ApplicationInsights-Go copied to clipboard
verified publisher icon microsoft

Will there be a new release soon?

Open palladia opened this issue 5 years ago • 4 comments

Azure pipeline component detections is raising a major security issue due to ApplicationInsights-Go including satori/uuid.go. I noticed that it's been fixed recently, but will there be a new release soon to address this issue? Version 0.4.4?

palladia avatar Oct 13 '20 03:10 palladia

Yes, I am looking into whether I can get another long-wanted change in as well.

For the record, I've been aware of the satori/uuid.go bug for a while now and the underlying issue that's flagging this doesn't affect 0.4.3 (this doesn't use the broken generator routine - it's in fact the same implementation as the new library). This won't satisfy an automated tool, but I feel is worth noting.

jjjordanmsft avatar Oct 16 '20 23:10 jjjordanmsft

Is there an update on this?

Whilst I appreciate that you've identified this library isn't vulnerable to the identified issue, we use a vulnerability scanning tool as part of our CI/CD process and as such, this library is getting identified as vulnerable. This is causing some pain in our release process, as we've having to manually resolve this vulnerability each deployment.

A new release that contains the updated library would resolve this problem entirely.

cjheppell avatar Jan 11 '21 09:01 cjheppell

Understood, I'll roll one by EOW. Thanks for your patience.

jjjordanmsft avatar Jan 27 '21 00:01 jjjordanmsft

Done. Let me know if this mollifies your CI/CD pipelines.

jjjordanmsft avatar Jan 30 '21 00:01 jjjordanmsft