CVE-2024-47534: 
Trivy vulnerability analysis and mitigation

The go-tuf client, a Go implementation of The Update Framework (TUF), contains a vulnerability in its delegation tracing functionality. The vulnerability was discovered during testing with the TUF conformance test suite and affects versions up to and including v2.0.0. The issue was fixed in version 2.0.1 (GitHub Advisory).

The vulnerability stems from inconsistent delegation tracing in the go-tuf client. For example, if targets delegate to 'A' and 'B', and 'B' delegates to 'C', the client should trace the delegations in the order 'A' then 'B' then 'C'. However, due to the bug, it may incorrectly trace the delegations as 'B'->'C'->'A'. The root cause was identified in the GetRolesForTarget function, which returns an unordered map instead of an ordered list, leading to inconsistent delegation traversal (GitHub Advisory).

The incorrect delegation tracing can result in the client downloading wrong artifacts, potentially leading to security implications in software update systems. This vulnerability has been assigned a High severity rating, as it could affect the integrity of software updates (GitHub Advisory).

Users should upgrade to go-tuf version 2.0.1 or later, which contains the fix for this vulnerability. The fix involves modifying the GetRolesForTarget function to return an ordered list instead of an unordered map (GitHub Advisory).