-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CRITICAL CVEs #110
Fix CRITICAL CVEs #110
Conversation
Important It still reports CVEs because Dex library Go module doesn't use semver and version mismatches with trivy database, see here: However, we will no longer be affected by CVE. Security team should add these CVEs to .trivyignore, as the Dex library version we are using is actually from v2.35.0.
|
✅ Deployed dex-operator on golem and seems to be functional:
✅ Tested dex auth flow via |
Important
The CVEs for Go
stdlib
library will be handled separately, as it's coming from Go version used by architect orb.Towards https://github.com/giantswarm/giantswarm/issues/31374
Summary
This PR fixes 3 CRITICAL CVEs in dex library by upgrading to v2.35.0.
Note
As recommend by maintainers of dex, the best way to upgrade dex library is to use commit hash via
go get
.Scanned image:
docker.io/giantswarm/dex-operator:0.12.1
Release Checklist