chore(deps): update dependency kubescape/kubescape to v3.0.31

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
kubescape/kubescape	patch	3.0.30 -> 3.0.31

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

kubescape/kubescape (kubescape/kubescape)

v3.0.31

Compare Source

What's Changed

• fix score calculation for framework with all controls in status irrelevant by @​amirmalka in https://github.com/kubescape/kubescape/pull/1802
• Bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 by @​dependabot in https://github.com/kubescape/kubescape/pull/1803
• Update README.md by @​amitschendel in https://github.com/kubescape/kubescape/pull/1807
• generate checksums for all artifacts by @​matthyx in https://github.com/kubescape/kubescape/pull/1806

Full Changelog: kubescape/kubescape@v3.0.30...v3.0.31

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/kubescape:3.0.31

📦 Image Reference ghcr.io/uniget-org/tools/kubescape:3.0.31

digest	sha256:2f97415227946b432d1d40f399762a923af848a8b7fd6ee986b6fc753bd5a41b
vulnerabilities
platform	linux/amd64
size	42 MB
packages	481

golang.org/x/crypto 0.32.0 (golang) pkg:golang/golang.org/x/[email protected] Affected range <0.35.0 Fixed version 0.35.0 Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

github.com/theupdateframework/go-tuf 0.7.0 (golang) pkg:golang/github.com/theupdateframework/[email protected] Affected range >=0 Fixed version Not Fixed Description Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf

golang.org/x/oauth2 0.23.0 (golang) pkg:golang/golang.org/x/[email protected] Affected range <0.27.0 Fixed version 0.27.0 Description An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

github.com/aws/aws-sdk-go 1.55.6-0.20240912145455-7112c0a0c2d0 (golang) pkg:golang/github.com/aws/[email protected] Affected range >=0 Fixed version Not Fixed Description A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files. Affected range >=0 Fixed version Not Fixed Description A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

gopkg.in/square/go-jose.v2 2.6.0 (golang) pkg:golang/gopkg.in/square/[email protected] Improper Handling of Highly Compressed Data (Data Amplification) Affected range <=2.6.0 Fixed version Not Fixed CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description Impact An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting. Patches The problem is fixed in the following packages and versions: github.com/go-jose/go-jose/v4 version 4.0.1 github.com/go-jose/go-jose/v3 version 3.0.3 gopkg.in/go-jose/go-jose.v2 version 2.6.3 The problem will not be fixed in the following package because the package is archived: gopkg.in/square/go-jose.v2

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/13770010735.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/13770010735.