Comments (6)
marcelcorso
commented on September 24, 2024
1
from sachet.
jiaqiluo
commented on September 24, 2024
bump
from sachet.
marcelcorso
commented on September 24, 2024
hey @jiaqiluo ! Thank you for the heads up. Can you help me a little bit? I'm not sure how to fix these.
For example: we don't use "busybox" on the container described on Dockerfile.
And about the openssl CVEs: updating the alpine image should fix them?
from sachet.
jiaqiluo
commented on September 24, 2024
Hi @marcelcorso
I guess the busybox is used somewhere by dependences or during the building process.
Updating the alpine image will fix most of them. Since no tag is set in the Dockerfile, the latest tag will be used.
I tried to build it locally and then run the Trivy scan again and the results look much better.
Note: The following CVEs are not fixed in the upstream yet.
> trivy image sachet:v1
sachet:v1 (alpine 3.14.1)
=========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
| libcrypto1.1 | CVE-2021-3711 | HIGH | 1.1.1k-r0 | 1.1.1l-r0 | openssl: SM2 Decryption |
| | | | | | Buffer Overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 |
+ +------------------+----------+ + +--------------------------------------+
| | CVE-2021-3712 | MEDIUM | | | openssl: Read buffer overruns |
| | | | | | processing ASN.1 strings |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 |
+--------------+------------------+----------+ + +--------------------------------------+
| libssl1.1 | CVE-2021-3711 | HIGH | | | openssl: SM2 Decryption |
| | | | | | Buffer Overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 |
+ +------------------+----------+ + +--------------------------------------+
| | CVE-2021-3712 | MEDIUM | | | openssl: Read buffer overruns |
| | | | | | processing ASN.1 strings |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
from sachet.
marcelcorso
commented on September 24, 2024
Nice. Thanks. I'll try to update soon and push.
from sachet.
jiaqiluo
commented on September 24, 2024
I can confirm all CVEs are fixed in messagebird/sachet:0.2.6
> trivy image messagebird/sachet:0.2.6
2021-08-30T09:49:33.192-0700 INFO Need to update DB
2021-08-30T09:49:33.192-0700 INFO Downloading DB...
23.09 MiB / 23.09 MiB [--------------------------------------------------------------------------------------------------------------------------------------] 100.00% 26.17 MiB p/s 2s
2021-08-30T09:49:38.262-0700 INFO Detected OS: alpine
2021-08-30T09:49:38.263-0700 INFO Detecting Alpine vulnerabilities...
2021-08-30T09:49:38.264-0700 INFO Number of language-specific files: 0
messagebird/sachet:0.2.6 (alpine 3.14.2)
========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
from sachet.
Related Issues (20)
- SMS does not contain expected text HOT 1
- Build binaries for various OS HOT 1
- Release 0.3.0 ? HOT 8
- Sending messages via Infobip supports only one number
- Feature request: Please add TextMagic as a provider HOT 2
- Remove fmt.Print and etc.
- logs during outage
- [CVE Report]: messagebird/sachet:0.2.6 HOT 2
- Add HTTP_PROXY to telegram provider HOT 3
- Jasmin SMS gateway support (or SMPP protocol support) HOT 1
- [email protected] HOT 1
- Bad request Telegram: group chat was upgraded to a supergroup chat
- Secret Injection
- installtion error HOT 1
- Problem with config HOT 1
- PR approval request
- Context deadline exceeded HOT 1
- Please include a changelog in future releases
- github.com/tencentcloud/tencentcloud-sdk-go/go.mod at revision v3.0.164: unknown revision v3.0.164 HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sachet.