You cannot "remediate" it (if you mean make the tool stop reporting it), but that specific issue is not believed to be a real problem, as GoCD does not "serv[e] static resources through the functional web frameworks WebMvc.fn or WebFlux.fn" relevant to CVE-2024-38819.
Please see https://github.com/gocd/gocd/discussions/12947#discussioncomment-10071870 and review the commentary at https://github.com/gocd/gocd/blob/b1cfbd334777350a713a76b2af7dfb1ea9464d32/build-platform/.trivyignore.yaml#L10-L15 However if you are running 24.2.0 you likely have bigger, real, security risks rather than the things the scanning tools spit out from embedded libraries. Should upgrade to 24.5.0 or later to remediate those *real* vulnerabilities. - https://github.com/gocd/gocd/discussions/13350 - https://github.com/gocd/gocd/security/advisories -Chad On Wed, 19 Feb 2025 at 00:55, naveen pamulapati <[email protected]> wrote: > Hi Team, > > Our security team found Spring Framework Path traversal vulnerability on > the below dependencies. > > jetty-0_0_0_0-8153-cruise_war-_go-any-/webapp/WEB-INF/lib/ > *spring-core-4.3.30.RELEASE.jar* > > jetty-0_0_0_0-8153-cruise_war-_go-any-/webapp/WEB-INF/lib/ > > *spring-webmvc-4.3.30.RELEASE.jar*Can you please let us know how we can > remediate the issue. We are currently running GoCD using docker and version > is 24.2.0. (19076-1406870fc6e121194028e55c4facc0c638d70007). > > docker pull gocd/gocd-agent-ubuntu-24.04:v24.2.0 > > Appreciate your help. > > Thanks, > Naveen. > > -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/d/msgid/go-cd/a0cf1e08-e29e-4dfd-a5cb-11be997f1575n%40googlegroups.com > <https://groups.google.com/d/msgid/go-cd/a0cf1e08-e29e-4dfd-a5cb-11be997f1575n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/go-cd/CAA1RwH8CXKDsv_ukU-Wbw5ssr1%3D5ygMHyi2Qn5eq0F6QTmng1g%40mail.gmail.com.
