Problem
The project has a high-severity CVE in the github.com/opencontainers/selinux dependency:
- CVE ID: GHSA-cgrx-mc8f-2prm
- Severity: High
- Current Version: v1.12.0
- Fixed Version: v1.13.0
- EPSS: < 0.1% (2nd percentile)
Additional CVEs Detected
The scan also identified medium-severity CVEs in golang.org/x/crypto:
Root Cause
The selinux v1.12.0 dependency comes from:
github.com/GoogleContainerTools/kaniko v1.24.0 (unmaintained)github.com/buildpacks/lifecycle v0.20.11
The original kaniko repository is unmaintained, and Chainguard has forked the project to continue maintenance at github.com/chainguard-dev/kaniko.
Proposed Solution
- Migrate from
GoogleContainerTools/kaniko to chainguard-dev/kaniko v1.25.4
- Update
buildpacks/lifecycle to v0.20.19 (which already uses the Chainguard fork)
- Upgrade
opencontainers/selinux to v1.13.0
This will resolve all identified CVEs.
Problem
The project has a high-severity CVE in the
github.com/opencontainers/selinuxdependency:Additional CVEs Detected
The scan also identified medium-severity CVEs in
golang.org/x/crypto:Root Cause
The
selinux v1.12.0dependency comes from:github.com/GoogleContainerTools/kaniko v1.24.0(unmaintained)github.com/buildpacks/lifecycle v0.20.11The original kaniko repository is unmaintained, and Chainguard has forked the project to continue maintenance at
github.com/chainguard-dev/kaniko.Proposed Solution
GoogleContainerTools/kanikotochainguard-dev/kaniko v1.25.4buildpacks/lifecycleto v0.20.19 (which already uses the Chainguard fork)opencontainers/selinuxto v1.13.0This will resolve all identified CVEs.