Update the fixture-updater

[MarianG]

DefectDojo security reporting program

We recently found that the fixture-updater is a bit out of date and contains vulnerabilities such as CVE-2025-22871 in pkg:golang/stdlib@1.23.3.

Therefore, I think the binary needs to be updated.

BR,
Marian

[valentijnscholten]

The team will look at it, thanks for the reminder.

[mtesauro]

@MarianG

So, we've had a chance to look at this:

• Thanks for the heads up. While not part of the actual DefectDojo application, it is in the repo so keeping it up to date is, of course, something we want to do. That Go binary is used to update the dates in the fixtures every quarter so that data doesn't have really old dates. It's run with a Github action 4 times per year (so infrequently).
• While the binary does use the net/http package, it makes requests to Github only so Github would have to send oddly crafted HTTP to actually trigger the bug in Go's net/http package. This seems very unlikely.
• We're re-building the binary and will be doing a PR shortly.

For future reference, security issues should be reported to HackerOne per these instructions.

This is noted in the README:

While this issue is more code hygiene that an exploitable vulnerability, I didn't want others to see this issue with a "Security" label and believe an Github issue was the proper way to report security issues to this project.

Thanks again for the heads up.

Once the PR is created, we'll make sure and reference this issue so they are linked.

[svader0]

@mtesauro This issue can be closed once PR #12704 is approved and merged. 👍

[mtesauro]

@MarianG The PR has been merged and this will be part of the 2.48.0 release (July's minor version bump)