Azcopy failing Nexus IQ scan with security vulnerability over x/text package #1246
Comments
|
Thank you @jayaraj-selvaraj for reporting this issue! I see it's an indirect dependency of ours. We'll get it fixed. |
zezha-msft
added a commit
that referenced
this issue
Nov 12, 2020
zezha-msft
added a commit
that referenced
this issue
Dec 10, 2020
zezha-msft
added a commit
that referenced
this issue
Dec 10, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Which version of the AzCopy was used?
Note: The version is visible when running AzCopy without any argument
Azcopy 10.7.0 latest
Which platform are you using? (ex: Windows, Mac, Linux)
Linux
What command did you run?
Nexus IQ Scan on the go.sum file
Note: Please remove the SAS to avoid exposing your credentials. If you cannot remember the exact command, please retrieve it from the beginning of the log file.
What problem was encountered?
Security vulnerability reported as Azcopy 10.7.0 uses x/text package (below 0.3.3).
As per the go.sum file it used 0.3.0 an 0.3.2
Report mentioned --> x/text package below 0.3.3 has vulnerability in encoding/unicode that could lead to UTF-16 decoder entering an infinite loop, causing program to crash or run out of memory.
How can we reproduce the problem in the simplest way?
Running a Nexus IQ scan
Have you found a mitigation/solution?
As per the recommendation, Go modules to be updated to use x/text package v0.3.3 which addresses this vulnerability.
Ref: golang/go#39491
The text was updated successfully, but these errors were encountered: