Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gcp (and snyk) container scan output #2883

Closed
robmonct opened this issue Dec 27, 2022 · 22 comments
Closed

gcp (and snyk) container scan output #2883

robmonct opened this issue Dec 27, 2022 · 22 comments
Labels
bug Something isn't working security

Comments

@robmonct
Copy link

robmonct commented Dec 27, 2022

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

According with GCP vulnerabilities scan, Atlantis latest versions are affected by 3 critical, 36 high and 5 medium vulnerabilities

Additional Context

Critical:
CVE-2022-23806
CVE-2021-38297
CVE-2022-26945

High:
CVE-2022-38149
CVE-2022-2879
CVE-2021-3121
CVE-2022-30630
CVE-2022-30631
CVE-2021-33194
CVE-2021-37219
CVE-2021-41771
CVE-2021-36213
CVE-2022-24675
CVE-2022-24921
CVE-2022-23772
CVE-2022-41715
CVE-2022-30323
CVE-2021-41772
CVE-2022-30635
CVE-2022-23773
CVE-2022-32190
CVE-2022-2880
CVE-2022-30322
CVE-2021-33196
CVE-2022-28131
CVE-2022-27664
CVE-2022-30632
CVE-2021-33198
CVE-2022-30633
CVE-2021-32574
CVE-2022-30321
CVE-2021-39293
CVE-2021-33195
CVE-2022-29153
CVE-2022-30580
CVE-2021-29923
CVE-2021-44716
CVE-2022-28327
CVE-2022-32189

Medium:
CVE-2021-33197
CVE-2022-32148
CVE-2022-41717
CVE-2022-40716
CVE-2018-1099
CVE-2020-29509
CVE-2022-29810
CVE-2021-34558
CVE-2022-1962
CVE-2021-38698
CVE-2022-29162

@robmonct robmonct added the bug Something isn't working label Dec 27, 2022
@nitrocode
Copy link
Member

nitrocode commented Dec 27, 2022

Hi @robmonct. Thanks for the ticket. We upgraded many golang and docker dependencies recently but haven't done an official release. We used to dependabot to keep up with new versions and have recently switched to renovatebot.

I don't have access to GCP but could you scan the latest dev image?

Related issues

Alpine images https://github.com/orgs/runatlantis/packages/container/atlantis

  • dev - updated with every new PR merge
  • latest - latest stable version currently v0.21.0
  • prerelease - latest prerelease currently v0.22.0-pre.20221226

We recently also added debian support so feel free to scan those.

Please feel free to propose changes to resolve some of these issues.

Could you also go over some of these vulnerabilities? Some may not affect atlantis

For example,

Critical:
GHSA-8c83-vp4v-h7fq - resolved by using latest golang. We use go 1.19 in the latest release.
GHSA-xv38-944c-p763 - resolved by using latest golang. We use go 1.19 in the latest release.
GHSA-x24g-9w7v-vprh - resolved by latest go-getter. We use 2.1.1 in dev image and 1.6.2 in the latest release.

go 1.19

github.com/hashicorp/go-getter/v2 v2.1.1

@nitrocode nitrocode added waiting-on-response Waiting for a response from the user needs discussion Large change that needs review from community/maintainers security labels Dec 27, 2022
@nitrocode nitrocode changed the title Three critical CVEs aaffecting atlantis latest versions gcp container scan lists potential CVEs Dec 27, 2022
@robmonct
Copy link
Author

Hi
Thank you for the quick response.
I've tried with dev, latest and prerelease and the list is the same. Debian versions have more vulnerabilities. Maybe, some of them may not affect atlantis. I've reported just for your information.

I don't understand why is showing the vulnerability with a newer version of Go. The information for critical one are this:
image

image

image

Thanks in advance.

@nitrocode
Copy link
Member

That is quite bizarre. If you pay for support from gcp, I would contact them about it. Once you do, please follow up here so we know what the potential next steps are to improve the project.

@robmonct
Copy link
Author

If I'm not wrong, the problem is that you are building the new versions with this base:

ARG ATLANTIS_BASE=ghcr.io/runatlantis/atlantis-base
ARG ATLANTIS_BASE_TAG_DATE=2022.12.12
ARG ATLANTIS_BASE_TAG_TYPE=alpine

# Stage 1: build artifact

FROM golang:1.19.4-alpine AS builder

WORKDIR /app
COPY . /app
RUN --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
    CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -v -o atlantis .

# Stage 2
# The runatlantis/atlantis-base is created by docker-base/Dockerfile
FROM ${ATLANTIS_BASE}:${ATLANTIS_BASE_TAG_DATE}-${ATLANTIS_BASE_TAG_TYPE} AS base

Then you are using as a base the image: ghcr.io/runatlantis/atlantis-base:2022.12.12-alpine which contains most of the vulnerabilities included in the dev and prerelease version. Is that possible?

@nitrocode
Copy link
Member

You are correct that the atlantis-base image (alpine, debian) is built first and then the atlantis (alpine, debian) uses the respective base image.

However, the critical vulnerabilities (and other vulnerabilities) that you posted, many of them affect neither the latest code base (see dev image) nor the latest released version (see v0.21.0 image). Many of those vulnerabilities are from older golang versions and I do not quite understand why gcp's container scan is flagging them.

I pointed the references to the code where the latest golang version is used.

Have you

  • scanned the atlantis binary itself or its go.mod which is built from the latest golang version?
  • reached out to GCP support to verify these issues?
  • read through the code to confirm the issues?

@robmonct
Copy link
Author

I don't understand neither why scan is showing them then.
I didn't scan atlantis binary itself.
The scan is in preview, so maybe they don't give support. I will try it just in case.
Not yet.

@nitrocode
Copy link
Member

I'm going to close this for now to avoid alarming anyone until there is a CVE that's affecting the current release.

Once you have more information, please respond and if there are action items, we can reopen the issue.

@robmonct
Copy link
Author

robmonct commented Dec 29, 2022

Scanning the current release with Snyk, this is the output just in case is useful:

target ghcr.io/runatlantis/atlantis:dev (2 issues)
docker scan ghcr.io/runatlantis/atlantis:dev                                                                                                                                   

Testing ghcr.io/runatlantis/atlantis:dev...

✗ Low severity vulnerability found in curl/libcurl
  Description: CVE-2022-43551
  Info: https://security.snyk.io/vuln/SNYK-ALPINE317-CURL-3179543
  Introduced through: curl/libcurl@7.86.0-r1, curl/curl@7.86.0-r1, git/git@2.38.2-r0
  From: curl/libcurl@7.86.0-r1
  From: curl/curl@7.86.0-r1 > curl/libcurl@7.86.0-r1
  From: git/git@2.38.2-r0 > curl/libcurl@7.86.0-r1
  and 1 more...
  Fixed in: 7.87.0-r0

✗ Low severity vulnerability found in curl/libcurl
  Description: CVE-2022-43552
  Info: https://security.snyk.io/vuln/SNYK-ALPINE317-CURL-3179544
  Introduced through: curl/libcurl@7.86.0-r1, curl/curl@7.86.0-r1, git/git@2.38.2-r0
  From: curl/libcurl@7.86.0-r1
  From: curl/curl@7.86.0-r1 > curl/libcurl@7.86.0-r1
  From: git/git@2.38.2-r0 > curl/libcurl@7.86.0-r1
  and 1 more...
  Fixed in: 7.87.0-r0



Organization:      robmonct
Package manager:   apk
Project name:      docker-image|ghcr.io/runatlantis/atlantis
Docker image:      ghcr.io/runatlantis/atlantis:dev
Platform:          linux/arm64
Licenses:          enabled

Tested 44 dependencies for known issues, found 2 issues.

-------------------------------------------------------
target /usr/local/bin/atlantis (0 issues)
Testing ghcr.io/runatlantis/atlantis:dev...

Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/atlantis
Project name:      github.com/runatlantis/atlantis
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

✔ Tested 206 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------
target /usr/local/bin/cft/versions/0.37.0/conftest (0 issues)
Testing ghcr.io/runatlantis/atlantis:dev...

Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/cft/versions/0.37.0/conftest
Project name:      go-distribution@command-line-arguments
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

✔ Tested 530 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------
target /usr/local/bin/tf/versions/1.0.11/terraform (14 issues)
Testing ghcr.io/runatlantis/atlantis:dev...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.6
  From: golang.org/x/text/language@v0.3.6
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/text/internal/language
  Description: Out-of-bounds Read
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTINTERNALLANGUAGE-2400718
  Introduced through: golang.org/x/text/internal/language@v0.3.6
  From: golang.org/x/text/internal/language@v0.3.6
  Fixed in: 0.3.7

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  Fixed in: 0.4.0

✗ Medium severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b

✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031
  Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.2
  From: github.com/hashicorp/go-getter/helper/url@v1.5.2
  Fixed in: 1.5.11

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688
  Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  Fixed in: 0.0.0-20211209124913-491a49abca63

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1

✗ High severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  Fixed in: 0.0.0-20211202192323-5770296d904e

✗ High severity vulnerability found in github.com/satori/go.uuid
  Description: Insecure Randomness
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
  Introduced through: github.com/satori/go.uuid@v1.2.0
  From: github.com/satori/go.uuid@v1.2.0

✗ High severity vulnerability found in github.com/hashicorp/go-slug
  Description: Arbitrary File Write via Archive Extraction (Zip Slip)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOSLUG-1048304
  Introduced through: github.com/hashicorp/go-slug@v0.4.1
  From: github.com/hashicorp/go-slug@v0.4.1
  Fixed in: 0.5.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Command Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.0.11/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

Tested 576 dependencies for known issues, found 14 issues.

-------------------------------------------------------
target /usr/local/bin/tf/versions/1.1.9/terraform (12 issues)
Testing ghcr.io/runatlantis/atlantis:dev...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  Fixed in: 0.4.0

✗ Medium severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b

✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031
  Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.9
  From: github.com/hashicorp/go-getter/helper/url@v1.5.9
  Fixed in: 1.5.11

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: NULL Pointer Dereference
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.1

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1

✗ High severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  Fixed in: 0.0.0-20211202192323-5770296d904e

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Command Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.1.9/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

Tested 623 dependencies for known issues, found 12 issues.

-------------------------------------------------------
target /usr/local/bin/tf/versions/1.2.9/terraform (5 issues)
Testing ghcr.io/runatlantis/atlantis:dev...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  Fixed in: 0.4.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: NULL Pointer Dereference
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.1

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.2.9/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

Tested 628 dependencies for known issues, found 5 issues.

-------------------------------------------------------
target /usr/local/bin/tf/versions/1.3.6/terraform (2 issues)
Testing ghcr.io/runatlantis/atlantis:dev...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
  From: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
  Fixed in: 0.4.0



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.3.6/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

Tested 590 dependencies for known issues, found 2 issues.

-------------------------------------------------------
target github.com/tianon/gosu (0 issues)
Testing ghcr.io/runatlantis/atlantis:dev...

Organization:      robmonct
Package manager:   gomodules
Target file:       /bin/gosu
Project name:      github.com/tianon/gosu
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

✔ Tested 3 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------
target /usr/bin/git-lfs (0 issues)
Testing ghcr.io/runatlantis/atlantis:dev...

Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/bin/git-lfs
Project name:      github.com/git-lfs/git-lfs/v3
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

✔ Tested ghcr.io/runatlantis/atlantis:dev for known issues, no vulnerable paths found.


Tested 9 projects, 5 contained vulnerable paths.

@nitrocode nitrocode reopened this Dec 29, 2022
@nitrocode nitrocode changed the title gcp container scan lists potential CVEs gcp (and snyk) container scan output Dec 29, 2022
@nitrocode
Copy link
Member

Thank you @robmonct. The snyk scan looks a lot more actionable. The curl and git-lfs versions are about to be bumped in a contributed PR #2889.

Please feel free to propose changes to resolve any of the other issues raised here.

@nitrocode nitrocode removed waiting-on-response Waiting for a response from the user needs discussion Large change that needs review from community/maintainers labels Dec 29, 2022
@nitrocode
Copy link
Member

Some of these vulnerabilities are a bit odd again or seem to be "stale". It's possible that your local dev image may be an older version?

golang.org/x/text v0.5.0

These seems to be flagged appropriately. I did not do a full search. I only spot checked.

atlantis/go.mod

Line 123 in e0f92e7

golang.org/x/net v0.2.0 // indirect

atlantis/go.mod

Line 122 in e0f92e7

golang.org/x/crypto v0.3.0 // indirect

gopkg.in/yaml.v2 v2.4.0

The YAML dependency is an open issue at the moment since it's difficult to get 1:1 results, at the moment, with the v2.

@robmonct
Copy link
Author

My dev image is yesterday dev image. I think the problem is related with this: https://stackoverflow.com/questions/69825533/why-does-go-sum-include-so-many-older-packages
go.sum contains older versions even if they aren't being used and GCP and Snyk take them as a vulnerabilities.
Is that possible? I'm trying to find how it's possible to remove those older versions from go.sum file.

@nitrocode
Copy link
Member

@robmonct I'm unsure if that's the case. Some of the snyk issues you mentioned are actual issues which were just addressed today.

The dependencies you're referring to may be the // indirect dependencies which come from other dependencies.

Please download a fresh dev / dev-alpine image and scan.

The dev-debian image is new and currently unused. It has more vulnerabilities most likely due to the fact that the debian package repositories are slower to upgrade.

I wrote up a small issue here to help address more of these docker image dependency issues going forward #2890. Please feel free to comment there on the process if you have suggestions.

@nitrocode
Copy link
Member

Also the issues regarding older versions of terraform that snyk is flagging. We recently culled the 0.x versions from the container and the older 1.0.x, 1.1.x, 1.2.x, may be next to remove since terraform will auto download versions based on the hcl required_version block.

Now that we know that security is flagging those, it may give more credence to the argument of only supporting the latest tf version.

@nitrocode
Copy link
Member

nitrocode commented Dec 29, 2022

I updated your comment here with summaries #2883 (comment)

These ones out of scope

  • /usr/local/bin/tf/versions/*/terraform

These ones in scope

  • ghcr.io/runatlantis/atlantis:dev-alpine
  • ghcr.io/runatlantis/atlantis:dev-debian
  • github.com/tianon/gosu
  • /usr/bin/git-lfs

The only remaining issues are in the debian image which currently is set to only installing packages from its stable repository. This limits it to older versions even if they are technically vulnerable such as curl. We could install from unstable but that may cause other issues.

For now, we are discussing using >= pins in the Dockerfile.debian image to keep more up to date. See PR #2896. This will not resolve the current debian curl issues (for example) but will allow us to upgrade sooner when those packages are available from the stable repository.

cc: @jamengual

@robmonct
Copy link
Author

robmonct commented Dec 30, 2022

Thanks for your work @nitrocode
I've downloaded the new dev version and this is the scan output:

scan results
DOCKER_HOST=unix:///Users/$(whoami)/Library/Containers/com.docker.docker/Data/docker.raw.sock docker scan ghcr.io/runatlantis/atlantis:dev                                                                                                                     

Testing ghcr.io/runatlantis/atlantis:dev...

Organization:      robmonct
Package manager:   apk
Project name:      docker-image|ghcr.io/runatlantis/atlantis
Docker image:      ghcr.io/runatlantis/atlantis:dev
Platform:          linux/arm64
Licenses:          enabled

✔ Tested 44 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev...

Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/atlantis
Project name:      github.com/runatlantis/atlantis
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

✔ Tested 206 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev...

Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/cft/versions/0.37.0/conftest
Project name:      go-distribution@command-line-arguments
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

✔ Tested 530 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.6
  From: golang.org/x/text/language@v0.3.6
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/text/internal/language
  Description: Out-of-bounds Read
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTINTERNALLANGUAGE-2400718
  Introduced through: golang.org/x/text/internal/language@v0.3.6
  From: golang.org/x/text/internal/language@v0.3.6
  Fixed in: 0.3.7

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  Fixed in: 0.4.0

✗ Medium severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b

✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031
  Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.2
  From: github.com/hashicorp/go-getter/helper/url@v1.5.2
  Fixed in: 1.5.11

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688
  Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  Fixed in: 0.0.0-20211209124913-491a49abca63

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1

✗ High severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  Fixed in: 0.0.0-20211202192323-5770296d904e

✗ High severity vulnerability found in github.com/satori/go.uuid
  Description: Insecure Randomness
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
  Introduced through: github.com/satori/go.uuid@v1.2.0
  From: github.com/satori/go.uuid@v1.2.0

✗ High severity vulnerability found in github.com/hashicorp/go-slug
  Description: Arbitrary File Write via Archive Extraction (Zip Slip)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOSLUG-1048304
  Introduced through: github.com/hashicorp/go-slug@v0.4.1
  From: github.com/hashicorp/go-slug@v0.4.1
  Fixed in: 0.5.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Command Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.0.11/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

Tested 576 dependencies for known issues, found 14 issues.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  Fixed in: 0.4.0

✗ Medium severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b

✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031
  Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.9
  From: github.com/hashicorp/go-getter/helper/url@v1.5.9
  Fixed in: 1.5.11

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: NULL Pointer Dereference
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.1

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1

✗ High severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  Fixed in: 0.0.0-20211202192323-5770296d904e

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Command Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.1.9/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

Tested 623 dependencies for known issues, found 12 issues.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  Fixed in: 0.4.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: NULL Pointer Dereference
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.1

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.2.9/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

Tested 628 dependencies for known issues, found 5 issues.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
  From: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
  Fixed in: 0.4.0



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.3.6/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

Tested 590 dependencies for known issues, found 2 issues.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev...

Organization:      robmonct
Package manager:   gomodules
Target file:       /bin/gosu
Project name:      github.com/tianon/gosu
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

✔ Tested 3 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  Fixed in: 0.4.0

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688
  Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  Fixed in: 0.0.0-20211209124913-491a49abca63

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/bin/git-lfs
Project name:      go-distribution@command-line-arguments
Docker image:      ghcr.io/runatlantis/atlantis:dev
Licenses:          enabled

Tested 62 dependencies for known issues, found 4 issues.


Tested 9 projects, 5 contained vulnerable paths.

This is the output scan for dev-debian

DOCKER_HOST=unix:///Users/$(whoami)/Library/Containers/com.docker.docker/Data/docker.raw.sock docker scan ghcr.io/runatlantis/atlantis:dev-debian                                                                                                                            

Testing ghcr.io/runatlantis/atlantis:dev-debian...

✗ Low severity vulnerability found in util-linux/libblkid1
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-UTILLINUX-2401081
  Introduced through: util-linux/libblkid1@2.36.1-8+deb11u1, e2fsprogs@1.46.2-2, util-linux/libmount1@2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1, util-linux/libuuid1@2.36.1-8+deb11u1, util-linux@2.36.1-8+deb11u1, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/libsmartcols1@2.36.1-8+deb11u1
  From: util-linux/libblkid1@2.36.1-8+deb11u1
  From: e2fsprogs@1.46.2-2 > util-linux/libblkid1@2.36.1-8+deb11u1
  From: util-linux/libmount1@2.36.1-8+deb11u1 > util-linux/libblkid1@2.36.1-8+deb11u1
  and 15 more...

✗ Low severity vulnerability found in unzip
  Description: NULL Pointer Dereference
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-UNZIP-2387325
  Introduced through: unzip@6.0-26+deb11u1
  From: unzip@6.0-26+deb11u1

✗ Low severity vulnerability found in tar
  Description: CVE-2005-2541
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-TAR-523480
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > tar@1.34+dfsg-1

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: Authentication Bypass
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-1291054
  Introduced through: apt@2.2.4, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1
  From: apt@2.2.4 > systemd/libsystemd0@247.3-7+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1
  From: util-linux/bsdutils@1:2.36.1-8+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1
  and 6 more...

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: Off-by-one Error
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-3111119
  Introduced through: apt@2.2.4, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1
  From: apt@2.2.4 > systemd/libsystemd0@247.3-7+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1
  From: util-linux/bsdutils@1:2.36.1-8+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1
  and 6 more...

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: CVE-2022-4415
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-3177742
  Introduced through: apt@2.2.4, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1
  From: apt@2.2.4 > systemd/libsystemd0@247.3-7+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1
  From: util-linux/bsdutils@1:2.36.1-8+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1
  and 6 more...

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: Link Following
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-524969
  Introduced through: apt@2.2.4, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1
  From: apt@2.2.4 > systemd/libsystemd0@247.3-7+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1
  From: util-linux/bsdutils@1:2.36.1-8+deb11u1 > systemd/libsystemd0@247.3-7+deb11u1
  and 6 more...

✗ Low severity vulnerability found in sqlite3/libsqlite3-0
  Description: CVE-2021-36690
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SQLITE3-1569419
  Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/gpg@2.2.27-2+deb11u2 > sqlite3/libsqlite3-0@3.34.1-3

✗ Low severity vulnerability found in sqlite3/libsqlite3-0
  Description: Memory Leak
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SQLITE3-2407045
  Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/gpg@2.2.27-2+deb11u2 > sqlite3/libsqlite3-0@3.34.1-3

✗ Low severity vulnerability found in sqlite3/libsqlite3-0
  Description: Improper Validation of Array Index
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SQLITE3-2959400
  Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/gpg@2.2.27-2+deb11u2 > sqlite3/libsqlite3-0@3.34.1-3

✗ Low severity vulnerability found in shadow/passwd
  Description: Access Restriction Bypass
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SHADOW-526940
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, gnupg2/gnupg@2.2.27-2+deb11u2, shadow/login@1:4.8.1-1, util-linux/mount@2.36.1-8+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 > shadow/passwd@1:4.8.1-1
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1
  From: shadow/login@1:4.8.1-1
  and 1 more...

✗ Low severity vulnerability found in shadow/passwd
  Description: Time-of-check Time-of-use (TOCTOU)
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SHADOW-528840
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, gnupg2/gnupg@2.2.27-2+deb11u2, shadow/login@1:4.8.1-1, util-linux/mount@2.36.1-8+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 > shadow/passwd@1:4.8.1-1
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1
  From: shadow/login@1:4.8.1-1
  and 1 more...

✗ Low severity vulnerability found in shadow/passwd
  Description: Incorrect Permission Assignment for Critical Resource
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SHADOW-539870
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, gnupg2/gnupg@2.2.27-2+deb11u2, shadow/login@1:4.8.1-1, util-linux/mount@2.36.1-8+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1 > shadow/passwd@1:4.8.1-1
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1
  From: shadow/login@1:4.8.1-1
  and 1 more...

✗ Low severity vulnerability found in perl/perl-modules-5.32
  Description: Improper Verification of Cryptographic Signature
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PERL-1925976
  Introduced through: git@1:2.30.2-1, meta-common-packages@meta
  From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/perl-modules-5.32@5.32.1-4+deb11u2
  From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2 > perl/perl-modules-5.32@5.32.1-4+deb11u2
  From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2
  and 2 more...

✗ Low severity vulnerability found in perl/perl-modules-5.32
  Description: Link Following
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PERL-532614
  Introduced through: git@1:2.30.2-1, meta-common-packages@meta
  From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/perl-modules-5.32@5.32.1-4+deb11u2
  From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2 > perl/perl-modules-5.32@5.32.1-4+deb11u2
  From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2
  and 2 more...

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-Bounds
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PCRE3-523392
  Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
  From: pcre3/libpcre3@2:8.39-13
  From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-Bounds
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PCRE3-525075
  Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
  From: pcre3/libpcre3@2:8.39-13
  From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Uncontrolled Recursion
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529298
  Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
  From: pcre3/libpcre3@2:8.39-13
  From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-Bounds
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PCRE3-529490
  Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
  From: pcre3/libpcre3@2:8.39-13
  From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-bounds Read
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-PCRE3-572353
  Introduced through: pcre3/libpcre3@2:8.39-13, grep@3.6-1
  From: pcre3/libpcre3@2:8.39-13
  From: grep@3.6-1 > pcre3/libpcre3@2:8.39-13

✗ Low severity vulnerability found in openssl/libssl1.1
  Description: Inadequate Encryption Strength
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-2941242
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, ca-certificates@20210119, curl@7.74.0-1.3+deb11u3, openssl@1.1.1n-0+deb11u3
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssl/libssl1.1@1.1.1n-0+deb11u3
  From: ca-certificates@20210119 > openssl@1.1.1n-0+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3
  and 6 more...

✗ Low severity vulnerability found in openssl/libssl1.1
  Description: Use of a Broken or Risky Cryptographic Algorithm
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-518334
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, ca-certificates@20210119, curl@7.74.0-1.3+deb11u3, openssl@1.1.1n-0+deb11u3
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssl/libssl1.1@1.1.1n-0+deb11u3
  From: ca-certificates@20210119 > openssl@1.1.1n-0+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3
  and 6 more...

✗ Low severity vulnerability found in openssl/libssl1.1
  Description: Cryptographic Issues
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-525332
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, ca-certificates@20210119, curl@7.74.0-1.3+deb11u3, openssl@1.1.1n-0+deb11u3
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssl/libssl1.1@1.1.1n-0+deb11u3
  From: ca-certificates@20210119 > openssl@1.1.1n-0+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openssl/libssl1.1@1.1.1n-0+deb11u3
  and 6 more...

✗ Low severity vulnerability found in openssh/openssh-client
  Description: CVE-2016-20012
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-1585650
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1
  and 1 more...

✗ Low severity vulnerability found in openssh/openssh-client
  Description: CVE-2021-41617
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-1660415
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1
  and 1 more...

✗ Low severity vulnerability found in openssh/openssh-client
  Description: Improper Authentication
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-2422621
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1
  and 1 more...

✗ Low severity vulnerability found in openssh/openssh-client
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-517822
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1
  and 1 more...

✗ Low severity vulnerability found in openssh/openssh-client
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-520976
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1
  and 1 more...

✗ Low severity vulnerability found in openssh/openssh-client
  Description: Improper Authentication
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-529002
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1
  and 1 more...

✗ Low severity vulnerability found in openssh/openssh-client
  Description: Access Restriction Bypass
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-529482
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1
  and 1 more...

✗ Low severity vulnerability found in openssh/openssh-client
  Description: Inappropriate Encoding for Output Context
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-530703
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1
  and 1 more...

✗ Low severity vulnerability found in openssh/openssh-client
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-574760
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1
  and 1 more...

✗ Low severity vulnerability found in openssh/openssh-client
  Description: OS Command Injection
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSH-590139
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1 > openssh/openssh-client@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > openssh/openssh-sftp-server@1:8.4p1-5+deb11u1
  and 1 more...

✗ Low severity vulnerability found in openldap/libldap-2.4-2
  Description: Improper Initialization
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-521320
  Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1

✗ Low severity vulnerability found in openldap/libldap-2.4-2
  Description: Out-of-Bounds
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-531344
  Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1

✗ Low severity vulnerability found in openldap/libldap-2.4-2
  Description: Cryptographic Issues
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-531747
  Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1

✗ Low severity vulnerability found in openldap/libldap-2.4-2
  Description: Improper Certificate Validation
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-584937
  Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1

✗ Low severity vulnerability found in ncurses/libtinfo6
  Description: Out-of-bounds Write
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-NCURSES-1655741
  Introduced through: bash@5.1-2+deb11u1, ncurses/ncurses-bin@6.2+20201114-2, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/mount@2.36.1-8+deb11u1, gnupg2/gnupg@2.2.27-2+deb11u2, ncurses/ncurses-base@6.2+20201114-2
  From: bash@5.1-2+deb11u1 > ncurses/libtinfo6@6.2+20201114-2
  From: ncurses/ncurses-bin@6.2+20201114-2 > ncurses/libtinfo6@6.2+20201114-2
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > procps@2:3.3.17-5 > ncurses/libtinfo6@6.2+20201114-2
  and 11 more...

✗ Low severity vulnerability found in ncurses/libtinfo6
  Description: Out-of-bounds Read
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-NCURSES-2767191
  Introduced through: bash@5.1-2+deb11u1, ncurses/ncurses-bin@6.2+20201114-2, openssh/openssh-server@1:8.4p1-5+deb11u1, util-linux/mount@2.36.1-8+deb11u1, gnupg2/gnupg@2.2.27-2+deb11u2, ncurses/ncurses-base@6.2+20201114-2
  From: bash@5.1-2+deb11u1 > ncurses/libtinfo6@6.2+20201114-2
  From: ncurses/ncurses-bin@6.2+20201114-2 > ncurses/libtinfo6@6.2+20201114-2
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > procps@2:3.3.17-5 > ncurses/libtinfo6@6.2+20201114-2
  and 11 more...

✗ Low severity vulnerability found in libsepol/libsepol1
  Description: Use After Free
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315627
  Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1

✗ Low severity vulnerability found in libsepol/libsepol1
  Description: Out-of-bounds Read
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315629
  Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1

✗ Low severity vulnerability found in libsepol/libsepol1
  Description: Use After Free
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315635
  Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1

✗ Low severity vulnerability found in libsepol/libsepol1
  Description: Use After Free
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBSEPOL-1315641
  Introduced through: gnupg2/gnupg@2.2.27-2+deb11u2
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > libsemanage/libsemanage1@3.1-1+b2 > libsepol/libsepol1@3.1-1

✗ Low severity vulnerability found in libgcrypt20
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBGCRYPT20-1297892
  Introduced through: apt@2.2.4, gnupg2/gnupg@2.2.27-2+deb11u2, curl@7.74.0-1.3+deb11u3, openssh/openssh-server@1:8.4p1-5+deb11u1
  From: apt@2.2.4 > apt/libapt-pkg6.0@2.2.4 > libgcrypt20@1.8.7-6
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/gpgv@2.2.27-2+deb11u2 > libgcrypt20@1.8.7-6
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > libgcrypt20@1.8.7-6
  and 9 more...

✗ Low severity vulnerability found in libgcrypt20
  Description: Use of a Broken or Risky Cryptographic Algorithm
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBGCRYPT20-523947
  Introduced through: apt@2.2.4, gnupg2/gnupg@2.2.27-2+deb11u2, curl@7.74.0-1.3+deb11u3, openssh/openssh-server@1:8.4p1-5+deb11u1
  From: apt@2.2.4 > apt/libapt-pkg6.0@2.2.4 > libgcrypt20@1.8.7-6
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/gpgv@2.2.27-2+deb11u2 > libgcrypt20@1.8.7-6
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > libgcrypt20@1.8.7-6
  and 9 more...

✗ Low severity vulnerability found in krb5/libkrb5-3
  Description: CVE-2004-0971
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-KRB5-519904
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2, meta-common-packages@meta
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > krb5/libkrb5-3@1.18.3-6+deb11u3
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > krb5/libgssapi-krb5-2@1.18.3-6+deb11u3 > krb5/libkrb5-3@1.18.3-6+deb11u3
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > krb5/libgssapi-krb5-2@1.18.3-6+deb11u3
  and 6 more...

✗ Low severity vulnerability found in krb5/libkrb5-3
  Description: Integer Overflow or Wraparound
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-KRB5-524883
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1, curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2, meta-common-packages@meta
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > krb5/libkrb5-3@1.18.3-6+deb11u3
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > krb5/libgssapi-krb5-2@1.18.3-6+deb11u3 > krb5/libkrb5-3@1.18.3-6+deb11u3
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > krb5/libgssapi-krb5-2@1.18.3-6+deb11u3
  and 6 more...

✗ Low severity vulnerability found in gnutls28/libgnutls30
  Description: Inadequate Encryption Strength
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GNUTLS28-515971
  Introduced through: apt@2.2.4, git@1:2.30.2-1, gnupg2/gnupg@2.2.27-2+deb11u2, curl@7.74.0-1.3+deb11u3
  From: apt@2.2.4 > gnutls28/libgnutls30@3.7.1-5+deb11u2
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3 > gnutls28/libgnutls30@3.7.1-5+deb11u2
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > gnutls28/libgnutls30@3.7.1-5+deb11u2
  and 2 more...

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Out-of-Bounds
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-521063
  Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta
  From: glibc/libc-bin@2.31-13+deb11u5
  From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Uncontrolled Recursion
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-521199
  Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta
  From: glibc/libc-bin@2.31-13+deb11u5
  From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Use of Insufficiently Random Values
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-522385
  Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta
  From: glibc/libc-bin@2.31-13+deb11u5
  From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-529848
  Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta
  From: glibc/libc-bin@2.31-13+deb11u5
  From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5

✗ Low severity vulnerability found in glibc/libc-bin
  Description: CVE-2019-1010023
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-531451
  Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta
  From: glibc/libc-bin@2.31-13+deb11u5
  From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Uncontrolled Recursion
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-531492
  Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta
  From: glibc/libc-bin@2.31-13+deb11u5
  From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Resource Management Errors
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GLIBC-532215
  Introduced through: glibc/libc-bin@2.31-13+deb11u5, meta-common-packages@meta
  From: glibc/libc-bin@2.31-13+deb11u5
  From: meta-common-packages@meta > glibc/libc6@2.31-13+deb11u5

✗ Low severity vulnerability found in git/git-man
  Description: Exposure of Resource to Wrong Sphere
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-2399903
  Introduced through: git@1:2.30.2-1
  From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1
  From: git@1:2.30.2-1

✗ Low severity vulnerability found in git/git-man
  Description: Uncontrolled Search Path Element
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-2635965
  Introduced through: git@1:2.30.2-1
  From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1
  From: git@1:2.30.2-1

✗ Low severity vulnerability found in git/git-man
  Description: Uncontrolled Search Path Element
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-2949145
  Introduced through: git@1:2.30.2-1
  From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1
  From: git@1:2.30.2-1

✗ Low severity vulnerability found in git/git-man
  Description: Link Following
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-3051720
  Introduced through: git@1:2.30.2-1
  From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1
  From: git@1:2.30.2-1

✗ Low severity vulnerability found in git/git-man
  Description: Out-of-bounds Write
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-3051727
  Introduced through: git@1:2.30.2-1
  From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1
  From: git@1:2.30.2-1

✗ Low severity vulnerability found in git/git-man
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-GIT-514769
  Introduced through: git@1:2.30.2-1
  From: git@1:2.30.2-1 > git/git-man@1:2.30.2-1
  From: git@1:2.30.2-1

✗ Low severity vulnerability found in expat/libexpat1
  Description: XML External Entity (XXE) Injection
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-EXPAT-524217
  Introduced through: git@1:2.30.2-1
  From: git@1:2.30.2-1 > expat/libexpat1@2.2.10-2+deb11u5

✗ Low severity vulnerability found in e2fsprogs/libext2fs2
  Description: Out-of-bounds Read
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-E2FSPROGS-2628459
  Introduced through: e2fsprogs/libext2fs2@1.46.2-2, e2fsprogs@1.46.2-2, e2fsprogs/libss2@1.46.2-2, e2fsprogs/logsave@1.46.2-2, meta-common-packages@meta
  From: e2fsprogs/libext2fs2@1.46.2-2
  From: e2fsprogs@1.46.2-2 > e2fsprogs/libext2fs2@1.46.2-2
  From: e2fsprogs/libss2@1.46.2-2
  and 5 more...

✗ Low severity vulnerability found in db5.3/libdb5.3
  Description: Out-of-bounds Read
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-DB53-2825168
  Introduced through: git@1:2.30.2-1, curl@7.74.0-1.3+deb11u3, gnupg2/gnupg@2.2.27-2+deb11u2
  From: git@1:2.30.2-1 > perl@5.32.1-4+deb11u2 > perl/libperl5.32@5.32.1-4+deb11u2 > db5.3/libdb5.3@5.3.28+dfsg1-0.8
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3 > openldap/libldap-2.4-2@2.4.57+dfsg-3+deb11u1 > cyrus-sasl2/libsasl2-2@2.1.27+dfsg-2.1+deb11u1 > cyrus-sasl2/libsasl2-modules-db@2.1.27+dfsg-2.1+deb11u1 > db5.3/libdb5.3@5.3.28+dfsg1-0.8
  From: gnupg2/gnupg@2.2.27-2+deb11u2 > gnupg2/dirmngr@2.2.27-2+deb11u2 > adduser@3.118 > shadow/passwd@1:4.8.1-1 > pam/libpam-modules@1.4.0-9+deb11u1 > db5.3/libdb5.3@5.3.28+dfsg1-0.8

✗ Low severity vulnerability found in curl/libcurl4
  Description: Insufficiently Protected Credentials
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-1322659
  Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3
  From: curl@7.74.0-1.3+deb11u3
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3

✗ Low severity vulnerability found in curl/libcurl4
  Description: Improper Handling of Exceptional Conditions
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-1322667
  Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3
  From: curl@7.74.0-1.3+deb11u3
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3

✗ Low severity vulnerability found in curl/libcurl4
  Description: CVE-2022-43551
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3179181
  Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3
  From: curl@7.74.0-1.3+deb11u3
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3

✗ Low severity vulnerability found in curl/libcurl4
  Description: CVE-2022-43552
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3179186
  Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3
  From: curl@7.74.0-1.3+deb11u3
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3

✗ Low severity vulnerability found in coreutils
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-COREUTILS-514776
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > ucf@3.0043 > coreutils@8.32-4

✗ Low severity vulnerability found in coreutils
  Description: Race Condition
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-COREUTILS-527269
  Introduced through: openssh/openssh-server@1:8.4p1-5+deb11u1
  From: openssh/openssh-server@1:8.4p1-5+deb11u1 > ucf@3.0043 > coreutils@8.32-4

✗ Low severity vulnerability found in bash
  Description: CVE-2022-3715
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-BASH-3112361
  Introduced through: bash@5.1-2+deb11u1
  From: bash@5.1-2+deb11u1

✗ Low severity vulnerability found in apt/libapt-pkg6.0
  Description: Improper Verification of Cryptographic Signature
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-APT-522585
  Introduced through: apt/libapt-pkg6.0@2.2.4, apt@2.2.4
  From: apt/libapt-pkg6.0@2.2.4
  From: apt@2.2.4 > apt/libapt-pkg6.0@2.2.4
  From: apt@2.2.4

✗ High severity vulnerability found in curl/libcurl4
  Description: Cleartext Transmission of Sensitive Information
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3066040
  Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3
  From: curl@7.74.0-1.3+deb11u3
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3

✗ Critical severity vulnerability found in curl/libcurl4
  Description: Exposure of Resource to Wrong Sphere
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3065656
  Introduced through: curl@7.74.0-1.3+deb11u3, git@1:2.30.2-1
  From: curl@7.74.0-1.3+deb11u3 > curl/libcurl4@7.74.0-1.3+deb11u3
  From: curl@7.74.0-1.3+deb11u3
  From: git@1:2.30.2-1 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u3



Organization:      robmonct
Package manager:   deb
Project name:      docker-image|ghcr.io/runatlantis/atlantis
Docker image:      ghcr.io/runatlantis/atlantis:dev-debian
Platform:          linux/arm64
Licenses:          enabled

Tested 155 dependencies for known issues, found 74 issues.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev-debian...

Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/atlantis
Project name:      github.com/runatlantis/atlantis
Docker image:      ghcr.io/runatlantis/atlantis:dev-debian
Licenses:          enabled

✔ Tested 206 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev-debian...

Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/cft/versions/0.37.0/conftest
Project name:      go-distribution@command-line-arguments
Docker image:      ghcr.io/runatlantis/atlantis:dev-debian
Licenses:          enabled

✔ Tested 530 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev-debian...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.6
  From: golang.org/x/text/language@v0.3.6
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/text/internal/language
  Description: Out-of-bounds Read
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTINTERNALLANGUAGE-2400718
  Introduced through: golang.org/x/text/internal/language@v0.3.6
  From: golang.org/x/text/internal/language@v0.3.6
  Fixed in: 0.3.7

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  Fixed in: 0.4.0

✗ Medium severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b

✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031
  Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.2
  From: github.com/hashicorp/go-getter/helper/url@v1.5.2
  Fixed in: 1.5.11

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688
  Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  Fixed in: 0.0.0-20211209124913-491a49abca63

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  From: golang.org/x/net/http2@v0.0.0-20210614182718-04defd469f4e
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1

✗ High severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  From: golang.org/x/crypto/ssh@v0.0.0-20210322153248-0c34fe9e7dc2
  Fixed in: 0.0.0-20211202192323-5770296d904e

✗ High severity vulnerability found in github.com/satori/go.uuid
  Description: Insecure Randomness
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
  Introduced through: github.com/satori/go.uuid@v1.2.0
  From: github.com/satori/go.uuid@v1.2.0

✗ High severity vulnerability found in github.com/hashicorp/go-slug
  Description: Arbitrary File Write via Archive Extraction (Zip Slip)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOSLUG-1048304
  Introduced through: github.com/hashicorp/go-slug@v0.4.1
  From: github.com/hashicorp/go-slug@v0.4.1
  Fixed in: 0.5.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Command Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926
  Introduced through: github.com/hashicorp/go-getter@v1.5.2
  From: github.com/hashicorp/go-getter@v1.5.2
  Fixed in: 1.6.1, 2.1.0



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.0.11/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev-debian
Licenses:          enabled

Tested 576 dependencies for known issues, found 14 issues.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev-debian...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  Fixed in: 0.4.0

✗ Medium severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-2429769
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  Fixed in: 0.0.0-20220314234659-1baeb1ce4c0b

✗ Medium severity vulnerability found in github.com/hashicorp/go-getter/helper/url
  Description: Information Exposure
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTERHELPERURL-2804031
  Introduced through: github.com/hashicorp/go-getter/helper/url@v1.5.9
  From: github.com/hashicorp/go-getter/helper/url@v1.5.9
  Fixed in: 1.5.11

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: NULL Pointer Dereference
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.1

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  From: golang.org/x/net/http2@v0.0.0-20211216030914-fe4d6282115f
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1

✗ High severity vulnerability found in golang.org/x/crypto/ssh
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-3026972
  Introduced through: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  From: golang.org/x/crypto/ssh@v0.0.0-20211108221036-ceb1ce70b4fa
  Fixed in: 0.0.0-20211202192323-5770296d904e

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Command Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2421223
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847924
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847925
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0

✗ High severity vulnerability found in github.com/hashicorp/go-getter
  Description: Privilege Escalation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-2847926
  Introduced through: github.com/hashicorp/go-getter@v1.5.9
  From: github.com/hashicorp/go-getter@v1.5.9
  Fixed in: 1.6.1, 2.1.0



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.1.9/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev-debian
Licenses:          enabled

Tested 623 dependencies for known issues, found 12 issues.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev-debian...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  Fixed in: 0.4.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: NULL Pointer Dereference
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714
  Introduced through: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  From: gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
  Fixed in: 3.0.1

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  From: golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.2.9/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev-debian
Licenses:          enabled

Tested 628 dependencies for known issues, found 5 issues.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev-debian...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
  From: golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
  Fixed in: 0.4.0



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/local/bin/tf/versions/1.3.6/terraform
Project name:      github.com/hashicorp/terraform
Docker image:      ghcr.io/runatlantis/atlantis:dev-debian
Licenses:          enabled

Tested 590 dependencies for known issues, found 2 issues.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev-debian...

Organization:      robmonct
Package manager:   gomodules
Target file:       /bin/gosu
Project name:      github.com/tianon/gosu
Docker image:      ghcr.io/runatlantis/atlantis:dev-debian
Licenses:          enabled

✔ Tested 3 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing ghcr.io/runatlantis/atlantis:dev-debian...

✗ Medium severity vulnerability found in golang.org/x/text/language
  Description: Improper Input Validation
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869
  Introduced through: golang.org/x/text/language@v0.3.7
  From: golang.org/x/text/language@v0.3.7
  Fixed in: 0.3.8

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  Fixed in: 0.4.0

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688
  Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  Fixed in: 0.0.0-20211209124913-491a49abca63

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257
  Introduced through: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  From: golang.org/x/net/http2@v0.0.0-20211112202133-69e39bad7dc2
  Fixed in: 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1



Organization:      robmonct
Package manager:   gomodules
Target file:       /usr/bin/git-lfs
Project name:      go-distribution@command-line-arguments
Docker image:      ghcr.io/runatlantis/atlantis:dev-debian
Licenses:          enabled

Tested 62 dependencies for known issues, found 4 issues.


Tested 9 projects, 6 contained vulnerable paths.

@nitrocode
Copy link
Member

A lot of these are out of scope unfortunately. Please see my previous post and my edit of your last scan. Also please edit your post so it's a bit more digestible (see previous edit).

The debian vulnerabilities are mostly from the binaries available from their stable repo unfortunately. If we downloaded from their unstable repo, we could avoid these vulnerabilities for debian but then we'd be trading stability for security.

The older terraform binaries are also out of scope.

@robmonct
Copy link
Author

Ok, thanks a lot for your work. Let's see if Hashicorp could fix those vulnerabilities but some of those versions seems to be a bit old. Do you think to offer a version of Atlantis with only Terraform 1.3.x and maybe another version with older TF versions to allow people between compatibility and security. Something like this: #2901

@nitrocode
Copy link
Member

nitrocode commented Dec 30, 2022

I do not think they will fix the vulnerabilities in older versions of terraform.

May I ask, what is your current threat model? Why is it important to eliminate the older terraform version specific vulnerabilities from this container?

And I'd also like to remind that we encourage users to customize their own image so removing the tf binaries or any other customizations are welcomed and encouraged downstream. We want to make the maintenance and stability as easy as possible from our side.

@robmonct
Copy link
Author

robmonct commented Jan 2, 2023

The main problem is that GitHub doesn't provide the option to configure webhook headers, so it is not possible to use GCP IAP to protect the endpoint.

@nitrocode
Copy link
Member

@robmonct wouldn't the github web hook with a secret token be sufficient enough?

@robmonct
Copy link
Author

No. For GCP IAP secret token isn't enough.

@nitrocode
Copy link
Member

@robmonct please see this open issue regarding gcp iap. We can reopen that issue if it is needed or requires more documentation on the website

#827

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working security
Projects
None yet
Development

No branches or pull requests

2 participants