go package Vulnerabilities observed in alertmanager

[rafariossaa]

When running a trivy scan on altermanager v0.26.0 source code, it reported several CVEs on the depedencies.
Is it possible to update those dependencies ?

alertmanager-0.26.0$ trivy filesystem --vuln-type library  .
2024-01-18T15:38:20.518Z        INFO    Vulnerability scanning is enabled
2024-01-18T15:38:20.518Z        INFO    Secret scanning is enabled
2024-01-18T15:38:20.518Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-18T15:38:20.518Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2024-01-18T15:38:22.615Z        INFO    Number of language-specific files: 1
2024-01-18T15:38:22.615Z        INFO    Detecting gomod vulnerabilities...

go.mod (gomod)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ 0.8.0             │ 0.17.0        │ ssh: Prefix truncation attack on Binary Packet Protocol      │
│                     │                │          │                   │               │ (BPP)                                                        │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-48795                   │
├─────────────────────┼────────────────┼──────────┼───────────────────┤               ├──────────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2023-39325 │ HIGH     │ 0.10.0            │               │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                     │                │          │                   │               │ excessive work (CVE-2023-44487)                              │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                     ├────────────────┼──────────┤                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-3978  │ MEDIUM   │                   │ 0.13.0        │ golang.org/x/net/html: Cross site scripting                  │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                     ├────────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-44487 │          │                   │ 0.17.0        │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                     │                │          │                   │               │ to a DDoS attack...                                          │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└─────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[TheMeier]

this is outdated.