Trivy reports a HIGH vulnerability because current release is built with v 1.24.2 of Go. Fixed in v 1.24.4

[jorn-ola-birkeland]

The vulnerability is CVE-2025-22874

[felixfontein]

Is there any indication that this affects SOPS?

[jorn-ola-birkeland]

Is there any indication that this affects SOPS?

No expert but would think not:

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabled policy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon

Since the vulnerability raises a flag on our systems, it is more of a humble request to use latest Go version on the next release (hopefully relatively soon 🙏 ), which I guess will happen automatically anyways.

[felixfontein]

I think the latest version should be used on new releases anyway (after the last bug that prevented this was fixed some time ago). I don't know when a new release will happen though. @getsops/maintainers what do you think?

[childnode]

Meanwhile second HIGH CVE-2025-47907 with referring golang/go#74831 via stdlib 1.24.2 fixed in go v 1.25

would be nice a "security tool" would release more frequent on security updates @getsops , indifferent sops is affected or not

I suspect this once can affect in the audit log writer "module"?

---

No expert but would think not:

btw. the first one refers to golang/go#73612 looks like can affect any cert validation, at anything with tls in sops too, does it?