CVE-2020-26160 - github.com/dgrijalva/jwt-go

[asaha123]

Describe the bug

Currently ld-relay pulls in dgrijalva/jwt-go via the following path:

ldrelay -> prometheus exporter -> prometheus client -> prometheus common -> go-kit -> jwt-go

There is an existing CVE against the package version that's currently used (v3.2.0).

To reproduce

• Inspect go.sum: github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=

Fix

The above package now is under a new ownership at golang-jwt/jwt. The latest release contains the fix. The migration guide suggests the following:

$ go mod edit -replace github.com/dgrijalva/jwt-go=github.com/golang-jwt/[email protected]+incompatible
$ go mod tidy

Since this is not a direct dependency, for now perhaps we could do the above in ld-relay's go.mod file.

[eli-darkly]

We've released v6.4.1 which should fix this.

[asaha123]

Thanks. i will leave it to you to close the issue. FWIW, for folks using the ld-relay library, we will still need to add the replace directive TIL and then you can verify the replace using:

go list -m -f '{{.Path}} => {{.Replace}}' all | grep jwt
github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt v3.2.1+incompatible

[asaha123]

I will leave a pointer to the indirect dependency issues:

• Switch to github.com/golang-jwt/jwt go-kit/kit#1172
• Replace github.com/form3tech-oss/jwt-go with https://github.com/golang-jwt/jwt etcd-io/etcd#13254

Once the above are resolved, we can remove the replace directives.

[eli-darkly]

@asaha-atlassian:

FWIW, for folks using the ld-relay library, we will still need to add the replace directive

Yes, that's why we added this section to the relevant docs: https://github.com/launchdarkly/ld-relay/blob/v6/docs/in-app.md#additional-notes