vuln: Exception for github.com/cloudflare/circl@v1.6.3 #39

New issue

Open

opened 2026-05-25 12:31:51 +00:00 by onlyati · 0 comments

onlyati commented 2026-05-25 12:31:51 +00:00

Owner

Copy link

No new version since 22nd of January, but the vulnerability is fixed on main branch. This is an indirect depdency for go-git. After packages has been update following CVE must be removed from trivy ignore:

detected vulnerability
  ├─ target: .ci_env/packages/go/go/pkg/mod/github.com/cloudflare/circl@v1.6.3/go.mod
  ├─ class: lang-pkgs
  ├─ pkg_name: golang.org/x/crypto
  ├─ installed_version: v0.30.0
  ├─ fixed_version: 0.31.0
  ├─ status: fixed
  └─ vulnerability_id: CVE-2024-45337

No new version since 22nd of January, but the vulnerability is fixed on main branch. This is an indirect depdency for go-git. After packages has been update following CVE must be removed from trivy ignore: ``` detected vulnerability ├─ target: .ci_env/packages/go/go/pkg/mod/github.com/cloudflare/circl@v1.6.3/go.mod ├─ class: lang-pkgs ├─ pkg_name: golang.org/x/crypto ├─ installed_version: v0.30.0 ├─ fixed_version: 0.31.0 ├─ status: fixed └─ vulnerability_id: CVE-2024-45337 ```

onlyati added this to the Issues/Features project 2026-05-27 20:55:18 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

2.1.1

2.1.0

2.0.0

1.3.17

1.3.16

1.3.15

1.3.14

1.3.13

1.3.12

1.3.11

1.3.10

1.3.9

1.3.8

1.3.7

1.3.6

1.3.5

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.2

1.1.1

1.1.0

1.0.0

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Issues/Features

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pandora/woodpecker-config-server.goapp#39

No description provided.