8000 Bump Go version from 1.19.3 to 1.20.4+ · Issue #242 · hashicorp/terraform-provider-null · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Bump Go version from 1.19.3 to 1.20.4+ #242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
azuterios opened this issue Jul 17, 2023 · 4 comments
Closed
1 task done

Bump Go version from 1.19.3 to 1.20.4+ #242

azuterios opened this issue Jul 17, 2023 · 4 comments
Assignees
@austinvalle
Labels
bug

Comments

@azuterios
Copy link

Terraform CLI and Provider Versions

###Terraform Version
Terraform version 1.5.0
Null provider 3.2.1

Terraform Configuration

Dear HashiCorp Team,
Some vulnerabilities are visible after the latest scan. Please update the GoLang version to 1.20.4+ And then please release a brand new version of the null provider, as the latest version is from November 2022 and some critical fixes have already been introduced in the code but never released.

Expected Behavior

No vulnerabilities present.

Actual Behavior

CVE-2021-44716 : golang.org/x/net/http2 of terraform-provider-null_v3.2.1_x5, should be updated to version 0.0.0-20211209124913-491a49abca63.
CVE-2022-41717 : go version needs to be updated from 1.19.3 to 1.19.4
CVE-2022-27664 : golang.org/x/net/http/httpguts needs to be updated to 0.0.0-20220906165146-f3363e06e74c
CVE-2022-32149 : golang.org/x/text and golang.org/x/text/language needs to be updated to 0.3.8
CVE-2022-41724| : go version needs to be updated from 1.19.3 to 1.19.4
CVE-2022-41715 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7
CVE-2022-2880 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7
CVE-2022-32190 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7
CVE-2022-2879 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7
CVE-2022-41716 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7
CVE-2023-24538 : go version needs to be updated from 1.18.5 to 1.20.3, 1.19.8
CVE-2023-24534 : go version needs to be updated from 1.18.5 to 1.20.3, 1.19.8

These vulnerabilities are coming for the outdated Golang version.

Steps to Reproduce

Scan with Twistlock scanner.

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@azuterios azuterios added the bug label Jul 17, 2023
@KevinCiz
Copy link
KevinCiz commented Oct 31, 2023
edited
Loading

Additional CVE

CVE-2022-27664: go version need to be updated to > 1.19.1
CVE-2022-41723: upgrade net package >= v0.8.0 to fix or Upgrading Go lang to >1.19.6 would address those issues
CVE-2022-41725: go version needs to be updated from 1.18.5 to 1.19.6, 1.20.1
CVE-2023-24536: go version needs to be updated from 1.18.5 to 1.20.3, 1.19.8

@Bjyothi2023
Copy link

Hi Team, Please help with releasing newer version with the current code base , Current available version v3.2.1 is very older release version missing with the new changes.
External products which are using this tool are getting affected as their Vulnerability scanners are reporting multiple CVEs and they are not able to move further.
Thanks in advance

@austinvalle austinvalle self-assigned this Nov 15, 2023
@austinvalle
Copy link
Member
austinvalle commented Nov 20, 2023
edited
Loading

Hi all 👋🏻 ,

We're working through releases on all of the utility providers and just released v3.2.2 of the null provider with updated dependencies built with Go 1.20 (no functional changes).

It may take an hour or so to update in the registry cache. Thanks!

Also a note, for those using Terraform 1.4 and later. You can utilize the terraform_data built-in managed resource instead of the null_resource as it is intended to support all its use cases without the need for an external provider plugin

@dhoucgitter dhoucgitter mentioned this issue Jan 9, 2024
Merged
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@austinvalle austinvalle

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@austinvalle @azuterios @KevinCiz @Bjyothi2023
0