Hey Doppler team, a vulnerability scan showed a vulnerability in the version of Go used by Doppler (see screenshot). How can this be fixed?
Hi @ashwinsr!
Welcome to the Doppler Community!
This vulnerability doesn’t seem like it would have impacted our CLI. That said, we just released v3.65.2 and it was built with Go 1.19.12, so that should prevent your vulnerability scans from flagging it!
Let me know if you continue having problems.
Regards,
-Joel
Hey @watsonian ! Thanks for the update, but this has happened again. These vulnerabilities start our patching SLAs, and most of the time there’s literally nothing we can do since they are inside Doppler, so do you have an SLA yourself on when high or critical vulnerabilities will be fixed? If not, we will have to remove Doppler from all our systems.
We use Trivy to identify vulnerabilities in our binary, and I’ve just put up a PR to run this nightly. Trivy isn’t identifying any vulnerabilities. I can see that the version of Go we used to compile the latest binary has a vulnerability related to serving web traffic, but we don’t make use of the vulnerable symbols.
What scanner are you using to detect this? It seems that it may be giving false positives.
@thomasp We use Google Cloud Build to build our containers, and their Artifact Repository has a vulnerability scanner which is what is flagging this error. Our auditors watch these results for our compliance, and because this is a critical vulnerability it is kicking off our SLA to fix this. Can you / the team help? If this can’t be fixed, we will have to permanently move off Doppler since this is our only unfixed vulnerability.
Vulnerability: CVE-2023-39323
Fixed in 1.21.2 and the current version you use is 1.21.1
This is a case of your scanner providing negative value. This is a false positive and our CLI is not affected. We are SOC 2 Type 2 compliant and also have to deal with documenting exceptions for our auditors due to overly zealous scanners. We have a feature PR up that will likely ship this week, which will mean shipping a new CLI version built with Go 1.12.3. But we’re generally averse to doing a thing just because a scanner is complaining when the scanner is provably incorrect - that’s called security theater.
