Container Security state does not pass in Gitlab pipeline because of one high level vulnerability. This vulnerability is jwt-go and it's installed version is v3.2.0+incompatible. The error title like this: jwt-go: access restriction bypass vulnerability-->avd.aquasec.com/nvd/cve-2020-26160. The Go version of the relevant repo is 1.16.3. How can I fix this vulnerability?
The CVE-2020-26160 vulnerability is due to the fact that dgrijalva/jwt-go incorrectly models the JWT aud field as a string, when based on the JWT specs it should be a slice of strings.
In the general case, the "aud" value is an array of case-sensitive strings
You can't bypass it yourself, because it's a bug in the library: https://github.com/dgrijalva/jwt-go/issues/428
Switch to the official community fork golang-jwt/jwt, its v3.2.1 fixes the vulnerability: https://github.com/golang-jwt/jwt/releases/tag/v3.2.1
- Import Path Change: See MIGRATION_GUIDE.md for tips on updating your code Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt
- Fixed type confusion issue between string and []string in VerifyAudience (#12). This fixes CVE-2020-26160