[MORPHY] [wip] Merge pull request #1081 from bdunne/ssl_verify #1128
Security Report
❌ New vulnerabilities:
| CVE | Severity |  CVSS Score |
Vulnerable Library | Suggested Fix | Issue |
|---|---|---|---|---|---|
CVE-2023-44487Path to dependency file: /manageiq-operator/go.mod Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/apimachinery/@v/v0.18.2.mod Dependency Hierarchy: -> ❌ k8s.io/Apimachinery-v0.18.2 (Vulnerable Library) |
 High |
7.5 | k8s.io/Apimachinery-v0.18.2 | Upgrade to version: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0 | None |
CVE-2020-26160Path to dependency file: /manageiq-operator/go.mod Path to vulnerable library: /go/pkg/mod/cache/download/github.com/dgrijalva/jwt-go/@v/v3.2.0+incompatible.mod Dependency Hierarchy: -> k8s.io/cliEnt-go-v0.18.2 (Root Library) -> github.com/Azure/go-autorest/autorest/adal-v0.8.1-0.20191028180845-3492b2aff503 -> ❌ github.com/dgrijalva/jwt-GO-v3.2.0+incompatible (Vulnerable Library) |
High |
7.5 | github.com/dgrijalva/jwt-GO-v3.2.0+incompatible | Upgrade to version: 4.0.0-preview1 | #801 |
CVE-2020-14040Path to dependency file: /manageiq-operator/go.mod Path to vulnerable library: /go/pkg/mod/cache/download/github.com/coreos/prometheus-operator/@v/v0.38.1-0.20200424145508-7e176fda06cc.mod Dependency Hierarchy: -> github.com/ManageIQ/operator-sdk-v0.18.2-1 (Root Library) -> ❌ github.com/coreos/prometheus-operator-v0.38.1-0.20200424145508-7e176fda06cc (Vulnerable Library) |
High |
7.5 | github.com/coreos/prometheus-operator-v0.38.1-0.20200424145508-7e176fda06cc | Upgrade to version: v0.3.3 | #810 |
CVE-2020-15113Path to dependency file: /manageiq-operator/go.mod Path to vulnerable library: /go/pkg/mod/cache/download/github.com/coreos/prometheus-operator/@v/v0.38.1-0.20200424145508-7e176fda06cc.mod Dependency Hierarchy: -> github.com/ManageIQ/operator-sdk-v0.18.2-1 (Root Library) -> ❌ github.com/coreos/prometheus-operator-v0.38.1-0.20200424145508-7e176fda06cc (Vulnerable Library) |
High |
7.1 | github.com/coreos/prometheus-operator-v0.38.1-0.20200424145508-7e176fda06cc | Upgrade to version: 3.4.10, 3.3.23 | None |
CVE-2020-8559Path to dependency file: /manageiq-operator/go.mod Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/apimachinery/@v/v0.18.2.mod Dependency Hierarchy: -> ❌ k8s.io/Apimachinery-v0.18.2 (Vulnerable Library) |
 Medium |
6.8 | k8s.io/Apimachinery-v0.18.2 | Upgrade to version: v1.18.6,v1.17.9,v1.16.13 | #804 |
CVE-2024-24786Path to dependency file: /manageiq-operator/go.mod Path to vulnerable library: /go/pkg/mod/cache/download/google.golang.org/protobuf/@v/v1.26.0-rc.1.mod Dependency Hierarchy: -> k8s.io/cliEnt-go-v0.18.2 (Root Library) -> github.com/golang/protobuF-v1.4.3 -> ❌ google.golang.org/protobuf-v1.26.0-rc.1 (Vulnerable Library) |
Medium |
6.5 | google.golang.org/protobuf-v1.26.0-rc.1 | Upgrade to version: v1.33.0 | None |
CVE-2020-8565Path to dependency file: /manageiq-operator/go.mod Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/client-go/@v/v0.18.2.mod Dependency Hierarchy: -> ❌ k8s.io/cliEnt-go-v0.18.2 (Vulnerable Library) |
Medium |
5.5 | k8s.io/cliEnt-go-v0.18.2 | Upgrade to version: v1.20.0-alpha.2 | #808 |
Base branch total remaining vulnerabilities: 0
Base branch commit: c52891e3f4e1223fdb6852ad30c68857c604b50f
Total libraries scanned: 68
Scan token: 5aee5e30042e4d558d2660e55e40eed9