Go Cryptography vulnerabilities detected by AWS Inspector

[davexunit]

My company uses AWS Inspector to scan the container images we use in our CI environment and we are seeing a number of vulnerabilities in the latest version (0.10.3) of the Code Climate test reporter:

• https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTO-2825234
• https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-9283.html
• https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29652.html

All three are for the Go Crypto library: https://pkg.go.dev/golang.org/x/crypto

[davexunit]

I can see that the issue was fixed with the merging of #497 but what is the timeline for this fix making into, say, the binary download available via https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 ?

[camillof]

It should be available once #500 goes in. I would say today/tomorrow.

[davexunit]

Okay, thank you!

[camillof]

Hey @davexunit , version 0.10.4 is out! Sorry for the delay, we had some incidents last week that took our full capacity

[gugacavalieri]

Hi guys. Not sure if the binaries are actually being updated with the latest builds. This CVE is still showing for me.

Steps to reproduce it:

1. Add Dockerfile

FROM alpine:3.17.2

# install codeclimate reporter
RUN wget --quiet https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 -O /usr/local/bin/cc-test-reporter \
  && chmod +x /usr/local/bin/cc-test-reporter

2. Run a Docker scan

docker build -t cc-reporter-cve-test . && docker scout cves cc-reporter-cve-test

It comes back with the crypto CVEs that were supposably patched:

However, when I built the binary from my machine and copied it over to the Docker image it reported no CVEs. So I wonder if the binaries are being updated on CodeClimate's website.