CVE-2022-29526 - golang.org/x/sys

[rchassaigne]

Hello,

When scanning a Docker image from webdevops with any inspector (eg: AWS Inspector). It only has one CVE remaining in the image.
CVE-2022-29526 on file path: usr/local/bin/go-replace.

The recommanded remediation is :
Upgrade your installed software packages to the proposed fixed in version and release.

• Update sys to 0.1.0

Is it possible to upgrade this package to 0.1.0 ? Actually it is v0.0.0-20220928140112-f11e5e49a4ec

Regards.

[nick-delgado]

Hi,

I've experienced the same when scanning a Docker image that was built using webdevops/php-nginx:8.2 in AWS Inspector. The scan shows that the vulnerability CVE-2022-29526 exists on /usr/local/bin/go-replace.

It looks like the go-replace's dependency github.com/jessevdk/go-flags which is using the golang.org/x/sys package hasn't updated their dependencies.

[rchassaigne]

Hi,

It seems to be in go.mod but is marked as indirect. Maybe I should open a issue into go-flags to update the sys package dependencies ?

EDIT: An issues has already been opened in the package and the recommandation seems to uses another fork package : go-flags-fork with golang.org/x/sys v0.10.0 as dependancy.

[Silmerias]

No news, last commit / release a year ago. Dead project?

[pooley182]

I have forked this project and bumped all dependencies to clear all outstanding CVEs.
https://github.com/pooley182/go-replace/releases/tag/22.10.1

[Silmerias]

👍