CVE-2020-8911 and CVE-2020-8912

[chadmyers]

When I run trivy on this repo, it reports two vulnerabilities in the aws-sdk-go module. When I upgrade go.mod to point to the latest release of aws-sdk-go (1.44.221 at the time of this writing), I get the same two vulnerabilities:

Library	Vulnerability	Severity	Installed Version	Fixed Version	Title
github.com/aws/aws-sdk-go	CVE-2020-8911	MEDIUM	1.44.221		aws/aw-sdk-go: CBC padding oracle issue in AWS S3 Crypto (SDK for golang)
github.com/aws/aws-sdk-go	CVE-2020-8912	LOW	1.44.221		aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto (SDK for golang)

[chadmyers]

It appears that upgrading to the v2 AWS SDK for Go (aws-sdk-go-v2) will fix these issues. I looked into the process for upgrading but my Go experience is poor and so I'm not quite sure where to start. For example, the aws-sdk-go-v2 release numbers look like 2023-03-14 and go.mod expects the v1.2.3 format so I'm not even sure how to reference that version.

[luisgerhorst]

I think they are using different versions for different sub-modules and the date is only used as an informal name. See https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2023-07-31 and https://github.com/moby/moby/blob/95bbbc0418390b28717674a2969edc8313b61fe7/vendor.mod#L19 as an example.