Vulnerabilities: CVE-2020-11022, CVE-2015-9251, CVE-2012-6708

[mkrakow]

Cloud you please fix vulnerabilities reported by security scans?
CVE-2020-11022 (Medium) detected in github.com/IBM/ibm-cos-sdk-go-v1.9.2
CVE-2015-9251 (Medium) detected in github.com/IBM/ibm-cos-sdk-go-v1.9.2
CVE-2012-6708 (Low) detected in github.com/IBM/ibm-cos-sdk-go-v1.9.2

[arnabm28]

Hi @mkrakow

Going through the reported CVE, the impact area in the jQuery package which has the vulnerability.
Go SDK does not consume the package directly. There are few html files that use jQuery which do not have a direct impact. The release of the new jQuery package in the npm package manager also has no impact on the Go SDK.

[arnabm28]

With respect to the vulnerability reported in the issue and the PR suggested, Go sdk does not consume the package reported as part of the CVE. The file ( as pointed in the PR) has a comment section which has a jquery version in it. Hence we can treat this as a FALSE POSITIVE.
Our best course of action would be to remove the comment so that we donot get the CVE reported again.
However this can safely be ignored for now.

[arnabm28]

We have raised an internal ticket for this issue.
Once we have the new changes in place I will update this issue with further details.

Thanks

[pnadolny]

Any update on this?

[arnabm28]

we will merge the fix along with the next release in the early first quarter next year.

[azieseme]

Hi @arnabm28 , with the release of https://github.com/IBM/ibm-cos-sdk-go/releases/tag/v1.9.3 on Dec 8, 2022, we should be good to close this issue, right?

[arnabm28]

@azieseme Yes this new release has the required upgrade. We are good to close this issue.

Thank you for the following up.

[arnabm28]

@mkrakow @azieseme Can this issue be closed now. The new release made has addressed the reported issue.

Thanks

[IBMalok]

It has already been resolved, so I am closing the ticket.