Conversation
fix CVE: CVE-2019-17571 CVE-2022-23305 CVE-2022-23307 CVE-2022-4492 CVE-2022-45047 Signed-off-by: Vincent Potucek <vpotucek@me.com>
fix CVE: CVE-2019-17571 CVE-2022-23305 CVE-2022-23307 CVE-2022-4492 CVE-2022-45047 Signed-off-by: Vincent Potucek <vpotucek@me.com>
fix CVE: CVE-2019-17571 CVE-2022-23305 CVE-2022-23307 CVE-2022-4492 CVE-2022-45047 Signed-off-by: Vincent Potucek <vpotucek@me.com>
fix CVE: CVE-2019-17571 CVE-2022-23305 CVE-2022-23307 CVE-2022-4492 CVE-2022-45047 Signed-off-by: Vincent Potucek <vpotucek@me.com>
| @@ -0,0 +1,35 @@ | |||
| CVE-2015-6420 # commons-collections:commons-collections | |||
| CVE-2015-7501 # commons-collections:commons-collections | |||
There was a problem hiding this comment.
Having five critical issues is already significant, but matching your scope to medium still represents quite a lot of security leaks for a security tool. Please consider addressing these, as we don’t want vulnerabilities in our security layer — this seems important.
Failing the build in favor of a simple version bump, instead of allowing leaks into production, would be a better and more responsible approach, especially in a security-sensitive context. Losing reputation could put the entire project at risk. If this information were to reach a malicious group, it would provide strong motivation to patch and take the topic top prior.
There was a problem hiding this comment.
Maybe checkin on every commit is a little to much. The current trivy config checking the image-ref: quay.io/keycloak/${{ matrix.container }}:nightly seems fine.
Never the less I kind of can confirm there are a lot of issues, fixed by a simple patch lvl version bump.
No description provided.