Description
We identified two security vulnerabilities in slsa-verifier version 2.7.0 through our internal Snyk scans. These CVEs are linked to dependencies used by the project:
These issues may expose systems using slsa-verifier to cryptographic weaknesses or other security risks, particularly in environments with automated supply chain verification or signature validation.
Please confirm:
- Whether
slsa-verifier v2.7.0 includes the vulnerable versions of these libraries.
- If an upgrade path or mitigation is available.
- Whether a patched release is planned or already available.
Steps to reproduce:
-
Download and scan the slsa-verifier v2.7.0 binary using snyk test or an equivalent vulnerability scanner.
-
Observe the following CVEs:
Expected behavior:
All dependencies used by slsa-verifier should be free of known vulnerabilities, particularly in a security-critical toolchain component.
Version
Description
We identified two security vulnerabilities in
slsa-verifierversion 2.7.0 through our internal Snyk scans. These CVEs are linked to dependencies used by the project:golang.org/x/crypto/sshgithub.com/go-jose/go-jose/v4These issues may expose systems using
slsa-verifierto cryptographic weaknesses or other security risks, particularly in environments with automated supply chain verification or signature validation.Please confirm:
slsa-verifierv2.7.0 includes the vulnerable versions of these libraries.Steps to reproduce:
Download and scan the
slsa-verifierv2.7.0 binary usingsnyk testor an equivalent vulnerability scanner.Observe the following CVEs:
x/crypto/ssh)go-jose/v4)Expected behavior:
All dependencies used by
slsa-verifiershould be free of known vulnerabilities, particularly in a security-critical toolchain component.Version