Skip to content

Latest version (v1.97.4) uses an old version of Terraform with critical vulns #835

Closed as not planned
Closed as not planned
Latest version (v1.97.4) uses an old version of Terraform with critical vulns#835
Labels
area/dockerfeatureNew feature or requeststaleDenotes an issue or PR has remained open with no activity and has become stale.
@davidarcher

Description

@davidarcher
davidarcher
opened on Mar 13, 2025

Describe the bug

The latest docker image (v1.97.4) is failing vuln scans due to old versions of Terraform (v1.10.5) and other tools that contain fixable vulnerabilities.

How can we reproduce it?

✔ docker run --rm --entrypoint bash -it ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
301615486d44:/# terraform version
Terraform v1.10.5
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.11.2. You can update by downloading from https://www.terraform.io/downloads.html
301615486d44:/#
docker run -e REGISTRY_AUTH_FILE=/root/.docker/config.json -v /tmp/retag.OPhdEa:/root/.docker -v /var/run/docker.sock:/var/run/docker.sock -v /root/.wiz:/root/.wiz --rm wizcli:latest docker scan --file-hashes-scan --policy Block-Critical-Vulnerabilities-ECR-Image-Import --policy-hits-only --image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
  | _            _ _
  | __      _(_)____   ___\| (_)
  | \ \ /\ / / \|_  /  / __\| \| \|
  | \ V  V /\| \|/ /  \| (__\| \| \|
  | \_/\_/ \|_/___\|  \___\|_\|_\|
  | Preparing to scan Docker image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
  | Creating temporary directory for image
  | Getting scan parameters
  | SUCCESS: Ready to scan Docker image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
  | Scanning Docker image ghcr.io/antonbabenko/pre-commit-terraform@sha256:78e1f8261fce4d569c07f486407ecfc326d3778f1a2154b51c8927ee6934dda7
  | Scanning Docker image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4 with policies Block-Malware-ECR-Image-Import, Block-Critical-Vulnerabilities-ECR-Image-Import
  | SUCCESS: Scanned Docker image
  | Uploading scan results for analysis on Wiz
  | Getting scan results
  | SUCCESS: Docker image scan analysis ready
  | OS Package vulnerabilities:
  | Name: krb5-libs, Version: 1.20.1-r0
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-37371, Severity: CRITICAL, Source: https://security.alpinelinux.org/vuln/CVE-2024-37371
  | CVSS score: 9.1, CVSS exploitability score: 3.9
  | Fixed version: 1.20.2-r1
  | Name: libexpat, Version: 2.5.0-r0
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45491, Severity: CRITICAL, Source: https://security.alpinelinux.org/vuln/CVE-2024-45491
  | CVSS score: 9.8, CVSS exploitability score: 3.9
  | Fixed version: 2.6.3-r0
  | CVE-2024-45492, Severity: CRITICAL, Source: https://security.alpinelinux.org/vuln/CVE-2024-45492
  | CVSS score: 9.8, CVSS exploitability score: 3.9
  | Fixed version: 2.6.3-r0
  |  
  | Library vulnerabilities:
  | Name: mkdocs-material, Version: 8.2.14, Path: /root/.terrascan/docs/requirements.txt
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2023-50447, Severity: CRITICAL, Source: https://data.safetycli.com/v/64496/52d
  | CVSS score: 8.1, CVSS exploitability score: 2.2
  | Fixed version: 9.5.5
  | Name: golang.org/x/crypto, Version: 0.0.0-20220525230936-793ad666bf5e, Path: /root/.terrascan/go.mod
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
  | Fixed version: 0.31.0
  | Name: github.com/go-git/go-git/v5, Version: 5.11.0, Path: /usr/bin/infracost
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2025-21613, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v725-9546-7q7m
  | Fixed version: 5.13.0
  | Name: golang.org/x/crypto, Version: 0.27.0, Path: /usr/bin/terraform
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
  | Fixed version: 0.31.0
  | Name: golang.org/x/crypto, Version: 0.27.0, Path: /usr/bin/terraform-docs
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
  | Fixed version: 0.31.0
  | Name: golang.org/x/crypto, Version: 0.0.0-20220525230936-793ad666bf5e, Path: /usr/bin/terrascan
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
  | Fixed version: 0.31.0
  | Name: golang.org/x/crypto, Version: 0.1.0, Path: /usr/bin/tfupdate
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
  | Fixed version: 0.31.0
  |  
  |  

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/dockerfeatureNew feature or requeststaleDenotes an issue or PR has remained open with no activity and has become stale.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions