Dear HashiCorp team,
Please provide a statement on the following security vulnerability, found in terraform_provider_helm - 2.9.0
PRISMA-2022-0227 | high | github.com/emicklei/go-restful/v3 | v3.9.0 | fixed in v3.10.0 | > 8 months
If the issue is not relevant or a false positive, please provide a statement as well.
Thank you for the assistance on this!
You are posting in a community discussion forum. If you are looking for an official response from HashiCorp, and have a commercial support contract with them, you may wish to use https://support.hashicorp.com instead.
That sounds like something you’d ask an employee, contractor or paid third party to do, rather than an anonymous internet forum?
This appears to be a private vulnerability reference from a commercial vulnerability scanner. It has no meaning to people (like me) not paying that vendor for services.
I would agree with @maxb in terms of the forum of your post. Generally speaking, these automated security scanners drive many false positives in terms of code paths that are not used in the product. When there is not an actual security issue present in the Terraform software they will be resolved when the package in question next needs to be updated for a functional reason. In the case of a dependency used by a backend that is not maintained by the core team (as in this case), the responsiveness can be even slower as backends are typically not the top priority of those teams. Thanks for your interest!