This site may contain outdated or incomplete information.
GCP Golang Buildpacks Old Compiler Injection
Previously, GCP Build Pipelines defaulted to pulling the go
compiler supplied in go.mod
, which could point to insecure versions.
Impact
According to the researchers: “before the fix, GCP Buildpacks originally pulled in older compilers based upon the level of compatibility rather than the latest stable version”, and “using an older compiler to build resulted in insecure binaries with known vulnerabilities originating from the old compiler and golang stdlib”.
This behavior has since been adjusted, but the researchers also point out to the value of attestations and SBOM to proactively inform users.
Type of Compromise
Given this default overrides the experience a developer might be having building and testing locally or in a non-production environment, we categorize this as Dev Tooling.
References
- GCP Buildpacks Old Compiler Injection Write-Up [Fixed]
- Don’t use go.mod to detect go version · GoogleCloudPlatform/buildpacks@9b81ec3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.