Request to compile envkey-source with go version 1.20.5, 1.19.10 or above #76
Replies: 2 comments
-
Hi @diogoraposo, thanks for your post and flagging these issues, but none of these are relevant in any way to envkey-source--it does not use cgo, parse javascript, or use templates. We do watch out for issues that would truly impact the security of envkey-source, but if we are rebuilding every time there is some unrelated CVE, we would be releasing new versions with no new functionality every few days, and I would argue it is actually a greater security risk to do this as we would be pulling in new code every time that may have introduced bugs that haven't been discovered yet and are relevant to envkey-source. All that said, we do have a new release of envkey-source planned for the near future (next few weeks), so we will look at compiling that with the latest stable go version. Also, we are happy to do a spot check of any CVEs you see, so you are very welcome to post them here if you're concerned so that we can let you know if they're relevant. Thanks again. |
Beta Was this translation helpful? Give feedback.
-
Hello @danenania, thanks for the update and also confirming the relevancy. |
Beta Was this translation helpful? Give feedback.
-
Hello team,
Some SCA scanners are flagging envkey-source as vulnerable to a considerable list of CVEs, including some considered critical:
CVE-2023-29404
CVE-2023-29405
CVE-2023-29402
CVE-2023-24540
CVE-2023-24538
The scanner that I used and flagged this is twistlock by Prisma Cloud.
While it is arguable the actual exploitability of these CVEs it would be of incredible help if we could solve the problem at its source, which would be to compile the binaries with a newer version of go.
I apologize I can't do this myself as I'm not really a golang developer.
Would you be so kind to compile envkey-source with go version 1.20.5, 1.19.10 or above?
Kind regards,
Diogo
Beta Was this translation helpful? Give feedback.
All reactions