Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Go dependencies to address CVEs #276

Merged
merged 1 commit into from
Jan 13, 2023
Merged

Upgrade Go dependencies to address CVEs #276

merged 1 commit into from
Jan 13, 2023

Conversation

antoninbas
Copy link
Contributor

Signed-off-by: Antonin Bas [email protected]

What this PR does / why we need it:

Some of the existing dependencies have CRITICAL / HIGH CVEs. This creates issues for enterprises who want to use Whereabouts and run security scans.

The ghcr.io/k8snetworkplumbingwg/whereabouts:latest container image was built using the latest code (master branch) and scanned with trivy.

whereabouts (gobinary)

Total: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 1)

┌────────────────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │         Installed Version          │           Fixed Version           │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996       │ CRITICAL │ v2.15.0+incompatible               │ 2.16.0                            │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
│                                ├─────────────────────┼──────────┤                                    │                                   ├──────────────────────────────────────────────────────────────┤
│                                │ GHSA-r48q-9g5r-8q2h │ UNKNOWN  │                                    │                                   │ CORS filters that use an AllowedDomains configuration        │
│                                │                     │          │                                    │                                   │ parameter can match domains outside...                       │
│                                │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-r48q-9g5r-8q2h            │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net               │ CVE-2022-27664      │ HIGH     │ v0.0.0-20220520000938-2e3eb7b945c2 │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY  │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                   │
├────────────────────────────────┼─────────────────────┤          ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text              │ CVE-2022-32149      │          │ v0.3.7                             │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage      │
│                                │                     │          │                                    │                                   │ takes a long time to parse complex tags                      │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                   │
├────────────────────────────────┼─────────────────────┤          ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/yaml.v3               │ CVE-2022-28948      │          │ v3.0.0                             │ 3.0.1                             │ golang-gopkg-yaml: crash when attempting to deserialize      │
│                                │                     │          │                                    │                                   │ invalid input                                                │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-28948                   │
│                                ├─────────────────────┼──────────┤                                    │                                   ├──────────────────────────────────────────────────────────────┤
│                                │ GHSA-hp87-p4gw-j4gq │ UNKNOWN  │                                    │                                   │ An issue in the Unmarshal function can cause a program to    │
│                                │                     │          │                                    │                                   │ panic...                                                     │
│                                │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-hp87-p4gw-j4gq            │
└────────────────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Special notes for your reviewer (optional):

I would be good to have a new whereabouts patch release when this is merged, if possible.

@antoninbas antoninbas requested a review from dougbtv as a code owner October 28, 2022 17:54
@antoninbas antoninbas force-pushed the upgrade-go-dependencies-to-address-cves branch from 450a9ee to 378d99d Compare October 28, 2022 17:59
@coveralls
Copy link

Pull Request Test Coverage Report for Build 3347490461

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 69.659%
Totals Coverage Status
Change from base Build 3250004817: 0.0%
Covered Lines: 900
Relevant Lines: 1292
💛 - Coveralls

maiqueb
maiqueb approved these changes Nov 16, 2022
View reviewed changes
Copy link
Collaborator

@maiqueb maiqueb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's wait for @dougbtv to merge ...

Another question: would it make sense to add dependabot to this repo ? ....

@antoninbas
Copy link
Contributor Author

pinging @dougbtv
Enabling dependabot sounds fine by me. You do have to be careful with some dependencies (e.g., the k8s.io repos, which I'd recommend excluding in the dependabot configuration file).

@antoninbas
Copy link
Contributor Author

@dougbtv friendly ping

@dougbtv dougbtv merged commit 955f49c into k8snetworkplumbingwg:master Jan 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maiqueb maiqueb maiqueb approved these changes

@dougbtv dougbtv Awaiting requested review from dougbtv dougbtv is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@antoninbas @coveralls @maiqueb @dougbtv