x.com/feross/status/2034845411459191173?s=20
1 correction found
That's @0.0.1 all the way through @0.34.2.
The top documented affected trivy-action tag was 0.34.0, not 0.34.2. Aqua’s own maintainer later described the restored compromised range as v0.0.1 through v0.34.0, and GitHub’s API has no 0.34.2/v0.34.2 tag or release for this repo.
Full reasoning
This appears to overstate the highest affected trivy-action version.
Aqua maintainer DmitriyLewen wrote in the official aquasecurity/trivy-action incident thread that:
0.35.0was the safe version.- “All tags before 0.35.0” had pointed to malicious commits.
- The restored tags were “from v0.0.1 to v0.34.0.”
That official description makes 0.34.0 the highest tag in the compromised range, not 0.34.2.
GitHub’s API is consistent with that:
v0.34.0exists as a release/tag.v0.34.1andv0.34.2do not exist as release tags.
So the post’s endpoint @0.34.2 is not supported by the repository’s own release/tag history and conflicts with Aqua’s incident comment describing the affected range.
4 sources
- GitHub API — comments on aquasecurity/trivy-action issue #541
DmitriyLewen: "The 0.35.0 version ... is safe and wasn't compromised... All tags before 0.35.0 in this repository were pointing to malicious commits... All tags from v0.0.1 to v0.34.0 have been re-created..."
- GitHub API — aquasecurity/trivy-action release tag v0.34.0
Status 200; tag_name: "v0.34.0".
- GitHub API — aquasecurity/trivy-action release tag v0.34.2
Status 404: "Not Found".
- GitHub API — aquasecurity/trivy-action git ref v0.34.2
Status 404: "Not Found".