Critical vulnerability for package golang.org/x/crypto found in latest version of cdk-notifier.

[passbt]

Hello, I'm installing the latest version, v2.13.5, of cdk-notifier and Trivy is detecting a critical vulnerability for golang.org/x/crypto, v0.16.0, package that is present packaged in cdk-notifier. When do you anticipate your Renovate bot will get this patched? I didn't see mention of it on your issue dashboard. The fix is in v0.31.0 of the crypto package. Here is a link to the Go vulnerability report: https://pkg.go.dev/vuln/GO-2024-3321.

Thank you!

[karlderkaefer]

I can confirm the vulnerability is listed in dependabot alerts. This is due to the fact that the PR for updating the gitlab client failed #117 thanks for raising the issue. I can check tomorrow

[karlderkaefer]

@passbt I updated all dependencies to latest see #171 It has resolved 2 out 3 security alerts. However the problem with x/crypto stays, since sprig module is still using old x/crypto version . Can you create also create a github issue there?

go mod graph | grep golang.org/x/crypto
github.com/karlderkaefer/cdk-notifier golang.org/x/crypto@v0.26.0
github.com/Masterminds/sprig/v3@v3.3.0 golang.org/x/crypto@v0.26.0
github.com/spf13/afero@v1.11.0 golang.org/x/crypto@v0.16.0
github.com/spf13/viper@v1.19.0 golang.org/x/crypto@v0.21.0
golang.org/x/crypto@v0.26.0 golang.org/x/net@v0.21.0
golang.org/x/crypto@v0.26.0 golang.org/x/sys@v0.23.0
golang.org/x/crypto@v0.26.0 golang.org/x/term@v0.23.0
golang.org/x/crypto@v0.26.0 golang.org/x/text@v0.17.0

[karlderkaefer]

I have a PR ready in case the upstream request takes too long #186 but it would be better to fix it upstream.

[passbt]

I agree.

[passbt]

I have a PR ready in case the upstream request takes too long #186 but it would be better to fix it upstream.

I'm not sure how long you wanted to give them, but are you opened to moving forward with your PR? If I remember right, they only review changes a few times a year in the upstream project.