Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2962

4.4.x TOOLS uses a vulnerable Go version

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Gone away
    • Priority: Icon: Minor - P4 Minor - P4
    • 100.3.1
    • Affects Version/s: None
    • Component/s: All Tools
    • None

      Problem Statement/Rationale

      Customer runs container security scan on image and finds critical GO vulnerability

      CVE-2020-28367 | high | 7.50 | go | 1.13.10 | fixed in 1.15.5, 1.14.12 | > 8 months

      Steps to Reproduce

      Twistlock scan on associated Kubernetes operator deployment images

      Expected Results

      Pass with medium and low CVEs

      Actual Results

      CVE-2020-28367 | high | 7.50 | go | 1.13.10 | fixed in 1.15.5, 1.14.12 | > 8 months

      Additional Notes

      This is fixed in the latest MongoDB tools shipping with 5.x. The customer wants to know why we cannot re-compile with better Go version and re-release.

            Assignee:
            tim.fogarty@mongodb.com Tim Fogarty
            Reporter:
            priyo.lahiri@mongodb.com Priyo Lahiri (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: