Is this project affected by go-restful vulnerability PRISMA-2022-0227?

[brasstax]

Hello,

Sealed Secrets currently uses package github.com/emicklei/go-restful/v3 version v3.9.0. In the ticket emicklei/go-restful#521, there is a vulnerability for PRISMA-2022-0227, reported by Twistlock. Do you know if this project if affected by this vulnerability, and is it possible to bump this to v3.10.1+?

Thank you!

[alvneiayu]

hi @brasstax
This is an indirect dependency. The library affected is used by client-go@v0.28.1 and code-generator@v0.28.1. We are using Trivy to analyze our PRs and we are detecting 0 vulnerabilities (it is checking the direct libraries). Dependabot is not reporting also any vulnerability.

If you want to create a PR bumping it but we will analyze it really carefully because again, this library is an indirect library and maybe it will generate any impact.

Thanks a lot
Álvaro

[brasstax]

Got it, thanks. It looks like client-go is unaffected (kubernetes/client-go#1254), and it looks like code-generator@v0.29.0 does bump it, but that's currently in alpha.