Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gospatial/tegola:latest docker image haves security issues #1000

Closed
fjrsaracho opened this issue Jul 18, 2024 · 4 comments · Fixed by #1001
Closed

Gospatial/tegola:latest docker image haves security issues #1000

fjrsaracho opened this issue Jul 18, 2024 · 4 comments · Fixed by #1001
Assignees
@ARolek

Comments

@fjrsaracho
Copy link

Hello,

Scanning Gospatial/tegola:latest with trivy scan is reporting security issue marked as critical CVE-2024-24790

It is already fixed on stdlib >1.21.11

image
@ARolek ARolek self-assigned this Jul 18, 2024
@ARolek
Copy link
Member

ARolek commented Jul 18, 2024

@fjrsaracho thanks for the report! I will get this updated for the next release. This makes me think we should implement weekly code scanning to keep on top of these vulns. That way it's not just pushes that trigger the scan.

ARolek added a commit that referenced this issue Jul 18, 2024
@ARolek
Upgrade go version in Dockerfile to 1.21.12
19ed8bd 
closes #1000
@ARolek ARolek mentioned this issue Jul 18, 2024
Merged
@ARolek ARolek moved this to In Review in Tegola Roadmap Jul 18, 2024
ARolek added a commit that referenced this issue Jul 18, 2024
@ARolek
Upgrade go version in Dockerfile to 1.21.12
338ca5a 
closes #1000
@fjrsaracho
Copy link
Author

@ARolek Investigating a bit seems to be easy to implement there is already an action supported by aquasecurity, check it out here: https://github.com/aquasecurity/trivy-action

May I ask why are you uploading vendors?

@ARolek
Copy link
Member

ARolek commented Jul 18, 2024

@ARolek Investigating a bit seems to be easy to implement there is already an action supported by aquasecurity, check it out here: https://github.com/aquasecurity/trivy-action

Do you know if Trivy is free for open source? I have only encountered it commercially.

May I ask why are you uploading vendors?

As in, why are we vendoring our dependancies? This is a long debated project, but generally speaking I want the project to be buildable without needing to fetch anything externally.

@fjrsaracho
Copy link
Author

fjrsaracho commented Jul 18, 2024
edited
Loading

Hello!
It is under Apache License 2.0. Including comercial usage. You can read more on following link: https://github.com/aquasecurity/trivy/blob/main/LICENSE

Not sure if it fits for you as a real "open-source"

@ARolek ARolek closed this as completed in 94cfdc5 Jul 18, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in Tegola Roadmap Jul 18, 2024
@ARolek ARolek mentioned this issue Jul 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ARolek ARolek

Labels
None yet
Projects
Tegola Roadmap
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade go version in Dockerfile to 1.21.12 go-spatial/tegola
2 participants
@ARolek @fjrsaracho