Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security fix support statement of cobra #1421

Closed
lichunl opened this issue Jun 17, 2021 · 2 comments · Fixed by #1433
Closed

security fix support statement of cobra #1421

lichunl opened this issue Jun 17, 2021 · 2 comments · Fixed by #1433

Comments

@lichunl
Copy link

lichunl commented Jun 17, 2021

We used Cobra in our project. We'd like to have your support statement of Cobra for its security vulnerability fix. How frequency you will publish security vulnerability fix if there are any?
@elfahxh
Copy link

elfahxh commented Jun 21, 2021

When I also use the opensource scan tool, https://github.com/jeremylong/DependencyCheck, to scan the dependencies of my project, and there are many CVEs found in indirect dependencies, as attached:

Screen Shot 2021-06-21 at 2 26 52 PM

OpenSourceScan_cobra.xlsx

@elfahxh elfahxh mentioned this issue Jun 21, 2021
Closed
@elfahxh
Copy link

elfahxh commented Jun 22, 2021

After replace the dependency package github.com/spf13/viper to higher version, most of CVEs can be resolved, It looks like that most of CVEs caused by viper package:

replace github.com/spf13/viper v1.7.0 => github.com/spf13/viper v1.8.0

Screen Shot 2021-06-22 at 4 41 17 PM

@jpmcb jpmcb mentioned this issue Jun 30, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump to viper 1.8.1 spf13/cobra
2 participants
@elfahxh @lichunl