CVE-2024-45337: Trivy reports Critical vulnerability in current version of mint

[hobthross]

I ran “trivy image --severity=CRITICAL --no-progress --exit-code 1 $(IMAGE)” on an image where I’d installed docker-slim (SLIM_VERSION=1.40.11). It triggered this failure.

usr/local/bin/mint (gobinary)

Total: 1 (CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ fixed  │ v0.29.0           │ 0.31.0        │ golang.org/x/crypto/ssh: Misuse of                     │
│                     │                │          │        │                   │               │ ServerConfig.PublicKeyCallback may cause authorization │
│                     │                │          │        │                   │               │ bypass in golang.org/x/crypto                          │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337             │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

[hobthross]

I think it would probably be fixed by updating the version of go that is being used. Not an urgent problem for me so I can’t spend time learning how to build this app in order to suggest a PR, but I’d be happy to test any new version if that’s useful.