Check for image vulns affectation

[victorrodriguez1984]

After Trivy scan we still see this active vuln...it affects component? version 0.0.27

quay.io/redhat-cop/group-sync-operator:v0.0.27

Trivy output

manager (gobinary)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 1)

│ github.com/emicklei/go-restful │ CVE-2022-1996  │ CRITICAL │ fixed  │ v2.9.5+incompatible                │ 2.16.0        │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2022-1996 

[sabre1041]

@victorrodriguez1984 v0.0.28 does not include this vulnerability

[victorrodriguez1984]

Hello again, please could you review if it affects or it is only image cosmetic?
@sabre1041

trivy  --severity CRITICAL i quay.io/redhat-cop/group-sync-operator:v0.0.28 -q

quay.io/redhat-cop/group-sync-operator:v0.0.28 (redhat 8.9)

Total: 0 (CRITICAL: 0)


manager (gobinary)

Total: 1 (CRITICAL: 1)

┌────────────────────────────────┬───────────────┬──────────┬────────┬─────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │  Installed Version  │ Fixed Version │                            Title                             │
├────────────────────────────────┼───────────────┼──────────┼────────┼─────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ fixed  │ v2.9.5+incompatible │ 2.16.0        │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                │               │          │        │                     │               │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
└────────────────────────────────┴───────────────┴──────────┴────────┴─────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[sabre1041]

We have been working on upgrading the delivery pipeline. When that goes into place, the dependencies will be updated

Appreciate the patience and understanding

[sabre1041]

@victorrodriguez1984 just a heads up that I am now working on updating the dependencies that will mitigate the above. You can track it in #316

[EmmanuelKasper]

thanks @sabre1041 for updating the depencies in #316 , this was causing scanner to freak out, do we plan a minor release of the group-sync-operator with the updated dependencies ?

[sabre1041]

thanks @sabre1041 for updating the depencies in #316 , this was causing scanner to freak out, do we plan a minor release of the group-sync-operator with the updated dependencies ?

new version 0.0.29 should now be available. thanks for your patience!

[EmmanuelKasper]

Thanks I see the go-restful updates have been updated indeed, and we have as of today the 0.0.30 release with the new code.
I think we should close this issue.