Because of compliance requirements in our organisation, we have to verify that the third party dependencies used in Terraform don’t have vulnerabilities reported against them. Apparently, two dependencies for Terraform 0.14.8 have vulnerabilities reported:
- github.com/gorilla/websocket v1.4.0 // indirect
- github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089
What would be recommended approach in this situation?
- Can we confirm that these reported vulnerabilities in the dependencies don’t affect Terraform?
- Can we expect that in one of the next 14.* versions of Terraform, newer versions of the affected module will be used (where the vulnerabilities have been fixed)?
- Or, would you rather recommend that we uptake newer versions of these 3rd party modules by building the Terraform binary by ourselves ? ( At the moment we don’t have “go” expertise in-house, so our preference is to uptake a binary version of Terraform from Hashicorp rather than building the binary).