You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Latest lifecycle release v0.20.1 triggered CVE(s) from Grype. For further details, see: https://github.com/buildpacks/lifecycle/actions/runs/10822952717 json: {
"id": "CVE-2024-34158",
"severity": "High",
"description": "Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion."
}
{
"id": "CVE-2024-34158",
"severity": "High",
"description": "Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion."
}
{
"id": "CVE-2024-34156",
"severity": "High",
"description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635."
}
{
"id": "CVE-2024-34156",
"severity": "High",
"description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635."
}
{
"id": "CVE-2024-34155",
"severity": "Unknown",
"description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."
}
{
"id": "CVE-2024-34155",
"severity": "Unknown",
"description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."
}
The text was updated successfully, but these errors were encountered:
I don't think we are vulnerable to CVE-2024-34158 or CVE-2024-34155, as the lifecycle doesn't consume source code. We only call decode on data that we ourselves write, so I'd say that we are not vulnerable to CVE-2024-34156 either. The advisories don't list affected packages but I assume a go version update will be needed to silence this notification.
Latest lifecycle release v0.20.1 triggered CVE(s) from Grype. For further details, see: https://github.com/buildpacks/lifecycle/actions/runs/10822952717 json: {
"id": "CVE-2024-34158",
"severity": "High",
"description": "Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion."
}
{
"id": "CVE-2024-34158",
"severity": "High",
"description": "Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion."
}
{
"id": "CVE-2024-34156",
"severity": "High",
"description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635."
}
{
"id": "CVE-2024-34156",
"severity": "High",
"description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635."
}
{
"id": "CVE-2024-34155",
"severity": "Unknown",
"description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."
}
{
"id": "CVE-2024-34155",
"severity": "Unknown",
"description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."
}
The text was updated successfully, but these errors were encountered: