Go crypto/ssh vulnerability in Go 1.16.2 docker image

[ruffoa]

First off, sorry if this is in the wrong place! I looked for any similar issues, but could not find any, so figured I'd open an issue report here 😄

What version of Go are you using (go version)?

$ go version
go version go1.16.2 linux/amd64

Does this issue reproduce with the latest release?

Yes, using the latest version of the Go 1.16 alpine Docker image (hash 52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791)

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
(sorry for the formatting, this is from Jenkins)
[2021-04-01T19:44:26.092Z] #19 0.727 GO111MODULE=""
[2021-04-01T19:44:26.092Z] #19 0.727 GOARCH="amd64"
[2021-04-01T19:44:26.092Z] #19 0.727 GOBIN=""
[2021-04-01T19:44:26.092Z] #19 0.727 GOCACHE="/root/.cache/go-build"
[2021-04-01T19:44:26.092Z] #19 0.727 GOENV="/root/.config/go/env"
[2021-04-01T19:44:26.092Z] #19 0.727 GOEXE=""
[2021-04-01T19:44:26.092Z] #19 0.727 GOFLAGS=""
[2021-04-01T19:44:26.092Z] #19 0.727 GOHOSTARCH="amd64"
[2021-04-01T19:44:26.092Z] #19 0.727 GOHOSTOS="linux"
[2021-04-01T19:44:26.092Z] #19 0.727 GOINSECURE=""
[2021-04-01T19:44:26.092Z] #19 0.727 GOMODCACHE="/go/pkg/mod"
[2021-04-01T19:44:26.093Z] #19 0.727 GONOPROXY=""
[2021-04-01T19:44:26.093Z] #19 0.727 GONOSUMDB="mycompany.org/*"
[2021-04-01T19:44:26.093Z] #19 0.727 GOOS="linux"
[2021-04-01T19:44:26.093Z] #19 0.727 GOPATH="/go"
[2021-04-01T19:44:26.093Z] #19 0.727 GOPRIVATE=""
[2021-04-01T19:44:26.093Z] #19 0.727 GOPROXY="mycompany.org"
[2021-04-01T19:44:26.093Z] #19 0.727 GOROOT="/usr/local/go"
[2021-04-01T19:44:26.093Z] #19 0.727 GOSUMDB="sum.golang.org"
[2021-04-01T19:44:26.093Z] #19 0.727 GOTMPDIR=""
[2021-04-01T19:44:26.093Z] #19 0.727 GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
[2021-04-01T19:44:26.093Z] #19 0.727 GOVCS=""
[2021-04-01T19:44:26.093Z] #19 0.727 GOVERSION="go1.16.2"
[2021-04-01T19:44:26.093Z] #19 0.727 GCCGO="gccgo"
[2021-04-01T19:44:26.093Z] #19 0.727 AR="ar"
[2021-04-01T19:44:26.093Z] #19 0.727 CC="gcc"
[2021-04-01T19:44:26.093Z] #19 0.727 CXX="g++"
[2021-04-01T19:44:26.093Z] #19 0.727 CGO_ENABLED="1"
[2021-04-01T19:44:26.093Z] #19 0.727 GOMOD="/dev/null"
[2021-04-01T19:44:26.093Z] #19 0.727 CGO_CFLAGS="-g -O2"
[2021-04-01T19:44:26.093Z] #19 0.727 CGO_CPPFLAGS=""
[2021-04-01T19:44:26.093Z] #19 0.727 CGO_CXXFLAGS="-g -O2"
[2021-04-01T19:44:26.093Z] #19 0.727 CGO_FFLAGS="-g -O2"
[2021-04-01T19:44:26.093Z] #19 0.727 CGO_LDFLAGS="-g -O2"
[2021-04-01T19:44:26.093Z] #19 0.727 PKG_CONFIG="pkg-config"
[2021-04-01T19:44:26.093Z] #19 0.727 GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3087407697=/tmp/go-build -gno-record-gcc-switches"

What did you do?

We have vulnerability scanning on all Docker images as a part of our deployment pipeline, and even an image with no Go projects in it was flagged as being affected by the crypto/ssh vulnerability fixed in this commit. Here is the Snyk vulnerability page.

This is the flagged Docker image:

Dockerfile

FROM golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8

# Installing dependencies
RUN apk upgrade --no-cache && \
    apk add --no-cache \

    bash \

    # Install Git
    git \

    nodejs \
    npm \

    make \

    gcc musl-dev python3-dev libffi-dev openssl-dev \

    python3 \
    py3-pip && \
    echo "*** setup python ***" && \
    ln -sf python3 /usr/bin/python && \
    pip install wheel && \
    rm -rf /root/.cache/pip 

As an aside, is there a way to force a Docker image to install a newer version of a built-in module? I tried doing a go get -u golang.org/x/crypto/ssh, however it did not fix the problem 😞

Any help would be greatly appreciated! Just checking to make sure it's not because of something silly I've done 😄

[seankhliao]

I don;t see this for either of the base images?

3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8

snyk container test golang@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8

Testing golang@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8...

✗ Medium severity vulnerability found in openssl/libcrypto1.1
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-ALPINE313-OPENSSL-1089240
  Introduced through: openssl/libcrypto1.1@1.1.1j-r0, openssl/libssl1.1@1.1.1j-r0, apk-tools/apk-tools@2.12.1-r0, libtls-standalone/libtls-standalone@2.9.1-r1, ca-certificates/ca-certificates@20191127-r5
  From: openssl/libcrypto1.1@1.1.1j-r0
  From: openssl/libssl1.1@1.1.1j-r0 > openssl/libcrypto1.1@1.1.1j-r0
  From: apk-tools/apk-tools@2.12.1-r0 > openssl/libcrypto1.1@1.1.1j-r0
  and 5 more...
  Image layer: '/bin/sh -c set -eux; 	apk add --no-cache --virtual .build-deps 		bash 		gcc 		gnupg 		go 		musl-dev 		openssl ; 	apkArch="$(apk --print-arch)"; 	case "$apkArch" in 		'x86_64') 			export GOARCH='amd64' GOOS='linux'; 			;; 		'armhf') 	xport GOARCH='arm' GOARM='6' GOOS='linux'; 			;; 		'armv7') 			export GOARCH='arm' GOARM='7' GOOS='linux'; 			;; 		aarch64') 			export GOARCH='arm64' GOOS='linux'; 			;; 		'x86') 			export GO386='softfloat' GOARCH='386' GOOS='linux'; 		; 		'ppc64le') 			export GOARCH='ppc64le' GOOS='linux'; 			;; 		's390x') 			export GOARCH='s390x' GOOS='linux'; 	; 		*) echo >&2 "error: unsupported architecture '$apkArch' (likely packaging update needed)"; exit 1 ;; 	esac; 		url='https://storage.googleapis.com/golang/go1.16.2.src.tar.gz'; 	sha256='37ca14287a23cb8ba2ac3f5c3dd8adbc1f7a54b9701a57824bf19a0b271f83ea'; 		wget -O go.tgz.asc "$url.asc"; 	wget -O go.tgz "$url"; 	echo "$sha256 *go.tgz" | sha256sum -c -; 		export GNUPGHOME="$(mktemp -d)"; 	gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; 	gpg --batch --verify go.tgz.asc go.tgz; 	gpgconf --kill all; 	rm -rf "$GNUPGHOME" go.tgz.asc; 		tar -C /usr/local -xzf go.tgz; 	rm go.tgz; 		( 		cd /usr/local/go/src; 		export GOROOT_BOOTSTRAP="$(go env GOROOT)" GOHOSTOS="$GOOS" GOHOSTARCH="$GOARCH"; 		if [ "${GO386:-}" = 'softfloat' ]; then 			GO386= ./bootstrap.bash; 			export GOROOT_BOOTSTRAP="/usr/local/go-$GOOS-$GOARCH-bootstrap"; 			"$GOROOT_BOOTSTRAP/bin/go" version; 		fi; 		/make.bash; 		if [ "${GO386:-}" = 'softfloat' ]; then 			rm -rf "$GOROOT_BOOTSTRAP"; 		fi; 	); 		apk del --no-network .build-deps; 	o install std; 		rm -rf 		/usr/local/go/pkg/*/cmd 		/usr/local/go/pkg/bootstrap 		/usr/local/go/pkg/obj 		/usr/local/go/pkg/tool/*/api 		usr/local/go/pkg/tool/*/go_bootstrap 		/usr/local/go/src/cmd/dist/dist 	; 		go version'
  Fixed in: 1.1.1k-r0

✗ Medium severity vulnerability found in musl/musl
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE313-MUSL-1067865
  Introduced through: musl/musl@1.2.2-r0, busybox/busybox@1.32.1-r3, alpine-baselayout/alpine-baselayout@3.2.0-r8, openssl/libcrypto1.1@1.1.1j-r0, openssl/libssl1.1@1.1.1j-r0, zlib/zlib@1.2.11-r3, apk-tools/apk-tools@2.12.1-r0, libtls-standalone/libtls-standalone@2.9.1-r1, busybox/ssl_client@1.32.1-r3, ca-certificates/ca-certificates@20191127-r5, musl/musl-utils@1.2.2-r0, pax-utils/scanelf@1.2.8-r0, libc-dev/libc-utils@0.7.2-r3
  From: musl/musl@1.2.2-r0
  From: busybox/busybox@1.32.1-r3 > musl/musl@1.2.2-r0
  From: alpine-baselayout/alpine-baselayout@3.2.0-r8 > musl/musl@1.2.2-r0
  and 11 more...
  Image layer: '/bin/sh -c set -eux; 	apk add --no-cache --virtual .build-deps 		bash 		gcc 		gnupg 		go 		musl-dev 		openssl ; 	apkArch="$(apk --print-arch)"; 	case "$apkArch" in 		'x86_64') 			export GOARCH='amd64' GOOS='linux'; 			;; 		'armhf') 	xport GOARCH='arm' GOARM='6' GOOS='linux'; 			;; 		'armv7') 			export GOARCH='arm' GOARM='7' GOOS='linux'; 			;; 		aarch64') 			export GOARCH='arm64' GOOS='linux'; 			;; 		'x86') 			export GO386='softfloat' GOARCH='386' GOOS='linux'; 		; 		'ppc64le') 			export GOARCH='ppc64le' GOOS='linux'; 			;; 		's390x') 			export GOARCH='s390x' GOOS='linux'; 	; 		*) echo >&2 "error: unsupported architecture '$apkArch' (likely packaging update needed)"; exit 1 ;; 	esac; 		url='https://storage.googleapis.com/golang/go1.16.2.src.tar.gz'; 	sha256='37ca14287a23cb8ba2ac3f5c3dd8adbc1f7a54b9701a57824bf19a0b271f83ea'; 		wget -O go.tgz.asc "$url.asc"; 	wget -O go.tgz "$url"; 	echo "$sha256 *go.tgz" | sha256sum -c -; 		export GNUPGHOME="$(mktemp -d)"; 	gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; 	gpg --batch --verify go.tgz.asc go.tgz; 	gpgconf --kill all; 	rm -rf "$GNUPGHOME" go.tgz.asc; 		tar -C /usr/local -xzf go.tgz; 	rm go.tgz; 		( 		cd /usr/local/go/src; 		export GOROOT_BOOTSTRAP="$(go env GOROOT)" GOHOSTOS="$GOOS" GOHOSTARCH="$GOARCH"; 		if [ "${GO386:-}" = 'softfloat' ]; then 			GO386= ./bootstrap.bash; 			export GOROOT_BOOTSTRAP="/usr/local/go-$GOOS-$GOARCH-bootstrap"; 			"$GOROOT_BOOTSTRAP/bin/go" version; 		fi; 		/make.bash; 		if [ "${GO386:-}" = 'softfloat' ]; then 			rm -rf "$GOROOT_BOOTSTRAP"; 		fi; 	); 		apk del --no-network .build-deps; 	o install std; 		rm -rf 		/usr/local/go/pkg/*/cmd 		/usr/local/go/pkg/bootstrap 		/usr/local/go/pkg/obj 		/usr/local/go/pkg/tool/*/api 		usr/local/go/pkg/tool/*/go_bootstrap 		/usr/local/go/src/cmd/dist/dist 	; 		go version'
  Fixed in: 1.2.2_pre2-r0

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Improper Certificate Validation
  Info: https://snyk.io/vuln/SNYK-ALPINE313-OPENSSL-1089239
  Introduced through: openssl/libcrypto1.1@1.1.1j-r0, openssl/libssl1.1@1.1.1j-r0, apk-tools/apk-tools@2.12.1-r0, libtls-standalone/libtls-standalone@2.9.1-r1, ca-certificates/ca-certificates@20191127-r5
  From: openssl/libcrypto1.1@1.1.1j-r0
  From: openssl/libssl1.1@1.1.1j-r0 > openssl/libcrypto1.1@1.1.1j-r0
  From: apk-tools/apk-tools@2.12.1-r0 > openssl/libcrypto1.1@1.1.1j-r0
  and 5 more...
  Image layer: '/bin/sh -c set -eux; 	apk add --no-cache --virtual .build-deps 		bash 		gcc 		gnupg 		go 		musl-dev 		openssl ; 	apkArch="$(apk --print-arch)"; 	case "$apkArch" in 		'x86_64') 			export GOARCH='amd64' GOOS='linux'; 			;; 		'armhf') 	xport GOARCH='arm' GOARM='6' GOOS='linux'; 			;; 		'armv7') 			export GOARCH='arm' GOARM='7' GOOS='linux'; 			;; 		aarch64') 			export GOARCH='arm64' GOOS='linux'; 			;; 		'x86') 			export GO386='softfloat' GOARCH='386' GOOS='linux'; 		; 		'ppc64le') 			export GOARCH='ppc64le' GOOS='linux'; 			;; 		's390x') 			export GOARCH='s390x' GOOS='linux'; 	; 		*) echo >&2 "error: unsupported architecture '$apkArch' (likely packaging update needed)"; exit 1 ;; 	esac; 		url='https://storage.googleapis.com/golang/go1.16.2.src.tar.gz'; 	sha256='37ca14287a23cb8ba2ac3f5c3dd8adbc1f7a54b9701a57824bf19a0b271f83ea'; 		wget -O go.tgz.asc "$url.asc"; 	wget -O go.tgz "$url"; 	echo "$sha256 *go.tgz" | sha256sum -c -; 		export GNUPGHOME="$(mktemp -d)"; 	gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; 	gpg --batch --verify go.tgz.asc go.tgz; 	gpgconf --kill all; 	rm -rf "$GNUPGHOME" go.tgz.asc; 		tar -C /usr/local -xzf go.tgz; 	rm go.tgz; 		( 		cd /usr/local/go/src; 		export GOROOT_BOOTSTRAP="$(go env GOROOT)" GOHOSTOS="$GOOS" GOHOSTARCH="$GOARCH"; 		if [ "${GO386:-}" = 'softfloat' ]; then 			GO386= ./bootstrap.bash; 			export GOROOT_BOOTSTRAP="/usr/local/go-$GOOS-$GOARCH-bootstrap"; 			"$GOROOT_BOOTSTRAP/bin/go" version; 		fi; 		/make.bash; 		if [ "${GO386:-}" = 'softfloat' ]; then 			rm -rf "$GOROOT_BOOTSTRAP"; 		fi; 	); 		apk del --no-network .build-deps; 	o install std; 		rm -rf 		/usr/local/go/pkg/*/cmd 		/usr/local/go/pkg/bootstrap 		/usr/local/go/pkg/obj 		/usr/local/go/pkg/tool/*/api 		usr/local/go/pkg/tool/*/go_bootstrap 		/usr/local/go/src/cmd/dist/dist 	; 		go version'
  Fixed in: 1.1.1k-r0

✗ High severity vulnerability found in busybox/busybox
  Description: Improper Handling of Exceptional Conditions
  Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1089800
  Introduced through: busybox/busybox@1.32.1-r3, alpine-baselayout/alpine-baselayout@3.2.0-r8, ca-certificates/ca-certificates@20191127-r5, busybox/ssl_client@1.32.1-r3
  From: busybox/busybox@1.32.1-r3
  From: alpine-baselayout/alpine-baselayout@3.2.0-r8 > busybox/busybox@1.32.1-r3
  From: ca-certificates/ca-certificates@20191127-r5 > busybox/busybox@1.32.1-r3
  and 1 more...
  Fixed in: 1.32.1-r4



Organization:      seankhliao
Package manager:   apk
Project name:      docker-image|golang
Docker image:      golang@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8
Platform:          linux/amd64
Licenses:          enabled

Tested 15 dependencies for known issues, found 4 issues.

Pro tip: use `--file` option to get base image remediation advice.
Example: $ snyk test --docker golang@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8 --file=path/to/Dockerfile

To remove this message in the future, please run `snyk config set disableSuggestions=true`

52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791

snyk container test golang@sha256:52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791

Testing golang@sha256:52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791...

✗ Medium severity vulnerability found in musl/musl
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE313-MUSL-1067865
  Introduced through: musl/musl@1.2.2-r0, busybox/busybox@1.32.1-r3, alpine-baselayout/alpine-baselayout@3.2.0-r8, openssl/libcrypto1.1@1.1.1k-r0, openssl/libssl1.1@1.1.1k-r0, zlib/zlib@1.2.11-r3, apk-tools/apk-tools@2.12.1-r0, libtls-standalone/libtls-standalone@2.9.1-r1, busybox/ssl_client@1.32.1-r3, ca-certificates/ca-certificates@20191127-r5, musl/musl-utils@1.2.2-r0, pax-utils/scanelf@1.2.8-r0, libc-dev/libc-utils@0.7.2-r3
  From: musl/musl@1.2.2-r0
  From: busybox/busybox@1.32.1-r3 > musl/musl@1.2.2-r0
  From: alpine-baselayout/alpine-baselayout@3.2.0-r8 > musl/musl@1.2.2-r0
  and 11 more...
  Image layer: '/bin/sh -c apk add --no-cache 		ca-certificates'
  Fixed in: 1.2.2_pre2-r0

✗ High severity vulnerability found in busybox/busybox
  Description: Improper Handling of Exceptional Conditions
  Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1089800
  Introduced through: busybox/busybox@1.32.1-r3, alpine-baselayout/alpine-baselayout@3.2.0-r8, ca-certificates/ca-certificates@20191127-r5, busybox/ssl_client@1.32.1-r3
  From: busybox/busybox@1.32.1-r3
  From: alpine-baselayout/alpine-baselayout@3.2.0-r8 > busybox/busybox@1.32.1-r3
  From: ca-certificates/ca-certificates@20191127-r5 > busybox/busybox@1.32.1-r3
  and 1 more...
  Image layer: '/bin/sh -c apk add --no-cache 		ca-certificates'
  Fixed in: 1.32.1-r4



Organization:      seankhliao
Package manager:   apk
Project name:      docker-image|golang
Docker image:      golang@sha256:52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791
Platform:          linux/amd64
Licenses:          enabled

Tested 15 dependencies for known issues, found 2 issues.

Pro tip: use `--file` option to get base image remediation advice.
Example: $ snyk test --docker golang@sha256:52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791 --file=path/to/Dockerfile

To remove this message in the future, please run `snyk config set disableSuggestions=true`

or with your provided dockerfile either

Dockerfile

$ docker build -t x .
[+] Building 11.2s (6/6) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                       0.2s
 => => transferring dockerfile: 521B                                                                                                                                                       0.0s
 => [internal] load .dockerignore                                                                                                                                                          0.2s
 => => transferring context: 2B                                                                                                                                                            0.0s
 => [internal] load metadata for docker.io/library/golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8                                              0.0s
 => CACHED [1/2] FROM docker.io/library/golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8                                                         0.0s
 => [2/2] RUN apk upgrade --no-cache &&     apk add --no-cache     bash     git     nodejs     npm     make     gcc musl-dev python3-dev libffi-dev openssl-dev     python3     py3-pip &  7.4s
 => exporting to image                                                                                                                                                                     3.3s
 => => exporting layers                                                                                                                                                                    3.2s
 => => writing image sha256:1d16e89bff2b139992936b2a7c40d0610aa01d10f67cea1f9727fc8ad7460e77                                                                                               0.0s
 => => naming to docker.io/library/x 


$ snyk container test --file=./Dockerfile x

Testing x...

✗ Medium severity vulnerability found in musl/musl-utils
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE313-MUSL-1067865
  Introduced through: musl/musl-utils@1.2.2-r0, libc-dev/libc-utils@0.7.2-r3, meta-common-packages@meta, musl/musl-dev@1.2.2-r0
  From: musl/musl-utils@1.2.2-r0
  From: libc-dev/libc-utils@0.7.2-r3 > musl/musl-utils@1.2.2-r0
  From: meta-common-packages@meta > musl/musl@1.2.2-r0
  and 1 more...
  Image layer: Introduced by your base image (golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8)
  Fixed in: 1.2.2_pre2-r0



Organization:      seankhliao
Package manager:   apk
Target file:       ./Dockerfile
Project name:      docker-image|x
Docker image:      x
Platform:          linux/amd64
Base image:        golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8
Licenses:          enabled

Tested 78 dependencies for known issues, found 1 issue.

Recommendations for golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8 are not available, as we haven't found any recent updates to this base image.
Consider upgrading your base image.
See above for details and fixes on individual vulnerabilities

Pro tip: use `--exclude-base-image-vulns` to exclude from display Docker base image vulnerabilities.

To remove this message in the future, please run `snyk config set disableSuggestions=true`

[ruffoa]

Hmm, it's possible our vulnerability scanner logic in our builds is broken, unfortunately I'm unable to test it locally due to not having access to Snyk. Thanks for looking into this for me though, guess I'll have to go through our internal logic again 😆