Latest version (v1.97.4) uses an old version of Terraform with critical vulns #835
Closed as not planned
Description
Describe the bug
The latest docker image (v1.97.4) is failing vuln scans due to old versions of Terraform (v1.10.5) and other tools that contain fixable vulnerabilities.
How can we reproduce it?
✔ docker run --rm --entrypoint bash -it ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
301615486d44:/# terraform version
Terraform v1.10.5
on linux_amd64
Your version of Terraform is out of date! The latest version
is 1.11.2. You can update by downloading from https://www.terraform.io/downloads.html
301615486d44:/#docker run -e REGISTRY_AUTH_FILE=/root/.docker/config.json -v /tmp/retag.OPhdEa:/root/.docker -v /var/run/docker.sock:/var/run/docker.sock -v /root/.wiz:/root/.wiz --rm wizcli:latest docker scan --file-hashes-scan --policy Block-Critical-Vulnerabilities-ECR-Image-Import --policy-hits-only --image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
| _ _ _
| __ _(_)____ ___\| (_)
| \ \ /\ / / \|_ / / __\| \| \|
| \ V V /\| \|/ / \| (__\| \| \|
| \_/\_/ \|_/___\| \___\|_\|_\|
| Preparing to scan Docker image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
| Creating temporary directory for image
| Getting scan parameters
| SUCCESS: Ready to scan Docker image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
| Scanning Docker image ghcr.io/antonbabenko/pre-commit-terraform@sha256:78e1f8261fce4d569c07f486407ecfc326d3778f1a2154b51c8927ee6934dda7
| Scanning Docker image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4 with policies Block-Malware-ECR-Image-Import, Block-Critical-Vulnerabilities-ECR-Image-Import
| SUCCESS: Scanned Docker image
| Uploading scan results for analysis on Wiz
| Getting scan results
| SUCCESS: Docker image scan analysis ready
| OS Package vulnerabilities:
| Name: krb5-libs, Version: 1.20.1-r0
| Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
| CVE-2024-37371, Severity: CRITICAL, Source: https://security.alpinelinux.org/vuln/CVE-2024-37371
| CVSS score: 9.1, CVSS exploitability score: 3.9
| Fixed version: 1.20.2-r1
| Name: libexpat, Version: 2.5.0-r0
| Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
| CVE-2024-45491, Severity: CRITICAL, Source: https://security.alpinelinux.org/vuln/CVE-2024-45491
| CVSS score: 9.8, CVSS exploitability score: 3.9
| Fixed version: 2.6.3-r0
| CVE-2024-45492, Severity: CRITICAL, Source: https://security.alpinelinux.org/vuln/CVE-2024-45492
| CVSS score: 9.8, CVSS exploitability score: 3.9
| Fixed version: 2.6.3-r0
|
| Library vulnerabilities:
| Name: mkdocs-material, Version: 8.2.14, Path: /root/.terrascan/docs/requirements.txt
| Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
| CVE-2023-50447, Severity: CRITICAL, Source: https://data.safetycli.com/v/64496/52d
| CVSS score: 8.1, CVSS exploitability score: 2.2
| Fixed version: 9.5.5
| Name: golang.org/x/crypto, Version: 0.0.0-20220525230936-793ad666bf5e, Path: /root/.terrascan/go.mod
| Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
| CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
| Fixed version: 0.31.0
| Name: github.com/go-git/go-git/v5, Version: 5.11.0, Path: /usr/bin/infracost
| Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
| CVE-2025-21613, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v725-9546-7q7m
| Fixed version: 5.13.0
| Name: golang.org/x/crypto, Version: 0.27.0, Path: /usr/bin/terraform
| Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
| CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
| Fixed version: 0.31.0
| Name: golang.org/x/crypto, Version: 0.27.0, Path: /usr/bin/terraform-docs
| Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
| CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
| Fixed version: 0.31.0
| Name: golang.org/x/crypto, Version: 0.0.0-20220525230936-793ad666bf5e, Path: /usr/bin/terrascan
| Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
| CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
| Fixed version: 0.31.0
| Name: golang.org/x/crypto, Version: 0.1.0, Path: /usr/bin/tfupdate
| Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
| CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
| Fixed version: 0.31.0
|
|