Update dependencies #628
Update dependencies #628
Conversation
imjasonh
force-pushed
the
deps
branch
2 times, most recently
from
d441294
to
41fa753
Compare
|
Also switched to using module-aware I'm not sure if this means tools/go.mod can be dropped entirely, if so I can make that change in this PR as well. |
tools/go.mod
Outdated
| @@ -4,17 +4,13 @@ go 1.15 | |||
|
|
|||
| require ( | |||
| github.com/BurntSushi/toml v0.3.1 | |||
| github.com/buildpacks/imgutil v0.0.0-20210513150455-55e42b288ec8 | |||
| github.com/buildpacks/imgutil v0.0.0-20210609210403-3145c7480cde | |||
There was a problem hiding this comment.
Can we get rid of tools/* completely now that you've upgrade the Makefile?
There was a problem hiding this comment.
There are still useful tools in there (tools/image/main.go, etc.), but I don't see any reason it has to be a separate Go module anymore. I've pushed another commit that removes tools/go.* and reruns go mod download to get all of tools/'s deps in /go.mod.
|
Thanks for this! It looks great. I've approved the CI run. Looks like you need to DCO the latest commit @imjasonh. |
|
@imjasonh just re-reviewing as CI immediately failed. We need to update to go 1.16 to get this behavior (CI included) |
Thanks, I've updated to 1.16 everywhere I could find, let me know if you know of more. |
|
Linting is failing now - see here I guess the upgraded linter means new rules and some deprecation of linters entirely |
Oh my bad, I was blindly upgrading golangci-lint instead of using the same version that had been pinned in tools/go.mod. That should be fixed now 🤞 |
|
Moving tools/* into the main module means it's now subject to lint checks, I've fixed some findings. |
Hmm - I guess we need to add the same replace directive in the main go.mod now or we need @sclevine to cut a version that doesn't have a replace directive (if possible). |
|
I even tried adding the It's possible that module-aware |
Trying to unblock buildpacks/lifecycle#628. The fork's commit was merged into the mainline module [here](pelletier/go-toml#426). Signed-off-by: Jesse Brown <jabrown85@gmail.com>
|
@imjasonh Stephen pulled in my PR to remove the |
Thanks! Done. 👍 |
imjasonh
force-pushed
the
deps
branch
2 times, most recently
from
8088323
to
788f73d
Compare
|
@imjasonh 🤞 the final hurdle appears to be the acceptance testdata launcher Dockerfile(s). The go1.16 tooling expects a go.mod to be present in order to run |
Done! It's getting closer I can feel it! 😄 |
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| github.com/containerd/containerd v1.3.3 // indirect | ||
| github.com/docker/cli v0.0.0-20200312141509-ef2f64abbd37 // indirect | ||
| github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7 | ||
| github.com/buildpacks/imgutil v0.0.0-20210609210403-3145c7480cde |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:golang/github.com/coreos/etcd@3.3.13
1 Critical, 2 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/buildpacks/imgutil@0.0.0-20210609210403-3145c7480cde
CRITICAL Vulnerabilities (1)
CVE-2020-15114
[CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox...
In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.
CVSS Score: 7.7
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
SEVERE Vulnerabilities (2)
CVE-2020-15136
[CVE-2020-15136] In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only ap...
In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CVE-2020-15115
[CVE-2020-15115] etcd before versions 3.3.23 and 3.4.10 does not perform any password length vali...
etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.
CVSS Score: 5.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/google/go-cmp v0.5.6 | ||
| github.com/google/go-containerregistry v0.5.1 | ||
| github.com/google/go-containerregistry v0.5.2-0.20210604130445-3bfab55f3bd9 |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:golang/github.com/coreos/etcd@3.3.13
1 Critical, 2 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/google/go-containerregistry@0.5.2-0.20210604130445-3bfab55f3bd9
CRITICAL Vulnerabilities (1)
CVE-2020-15114
[CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox...
In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.
CVSS Score: 7.7
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
SEVERE Vulnerabilities (2)
CVE-2020-15136
[CVE-2020-15136] In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only ap...
In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CVE-2020-15115
[CVE-2020-15115] etcd before versions 3.3.23 and 3.4.10 does not perform any password length vali...
etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.
CVSS Score: 5.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/containerd/containerd v1.3.3 // indirect | ||
| github.com/docker/cli v0.0.0-20200312141509-ef2f64abbd37 // indirect | ||
| github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7 | ||
| github.com/buildpacks/imgutil v0.0.0-20210609210403-3145c7480cde |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:golang/github.com/dgrijalva/jwt-go@3.2.0
1 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/buildpacks/imgutil@0.0.0-20210609210403-3145c7480cde
CRITICAL Vulnerabilities (1)
[CVE-2020-26160] jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrict...
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/google/go-cmp v0.5.6 | ||
| github.com/google/go-containerregistry v0.5.1 | ||
| github.com/google/go-containerregistry v0.5.2-0.20210604130445-3bfab55f3bd9 |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:golang/github.com/dgrijalva/jwt-go@3.2.0
1 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/google/go-containerregistry@0.5.2-0.20210604130445-3bfab55f3bd9
CRITICAL Vulnerabilities (1)
[CVE-2020-26160] jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrict...
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/containerd/containerd v1.3.3 // indirect | ||
| github.com/docker/cli v0.0.0-20200312141509-ef2f64abbd37 // indirect | ||
| github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7 | ||
| github.com/buildpacks/imgutil v0.0.0-20210609210403-3145c7480cde |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:golang/github.com/dgrijalva/jwt-go@0.0.0-20170104182250-a601269ab70c
1 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/buildpacks/imgutil@0.0.0-20210609210403-3145c7480cde
CRITICAL Vulnerabilities (1)
[CVE-2020-26160] jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrict...
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/containerd/containerd v1.3.3 // indirect | ||
| github.com/docker/cli v0.0.0-20200312141509-ef2f64abbd37 // indirect | ||
| github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7 | ||
| github.com/buildpacks/imgutil v0.0.0-20210609210403-3145c7480cde |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:golang/golang.org/x/crypto@0.0.0-20180904163835-0709b304e793
0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/buildpacks/imgutil@0.0.0-20210609210403-3145c7480cde
SEVERE Vulnerabilities (1)
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/google/go-cmp v0.5.6 | ||
| github.com/google/go-containerregistry v0.5.1 | ||
| github.com/google/go-containerregistry v0.5.2-0.20210604130445-3bfab55f3bd9 |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:golang/golang.org/x/crypto@0.0.0-20180904163835-0709b304e793
0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/google/go-containerregistry@0.5.2-0.20210604130445-3bfab55f3bd9
SEVERE Vulnerabilities (1)
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/containerd/containerd v1.3.3 // indirect | ||
| github.com/docker/cli v0.0.0-20200312141509-ef2f64abbd37 // indirect | ||
| github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7 | ||
| github.com/buildpacks/imgutil v0.0.0-20210609210403-3145c7480cde |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:golang/golang.org/x/crypto@0.0.0-20181009213950-7c1a557ab941
0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/buildpacks/imgutil@0.0.0-20210609210403-3145c7480cde
SEVERE Vulnerabilities (1)
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/google/go-cmp v0.5.6 | ||
| github.com/google/go-containerregistry v0.5.1 | ||
| github.com/google/go-containerregistry v0.5.2-0.20210604130445-3bfab55f3bd9 |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:golang/golang.org/x/crypto@0.0.0-20181009213950-7c1a557ab941
0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/google/go-containerregistry@0.5.2-0.20210604130445-3bfab55f3bd9
SEVERE Vulnerabilities (1)
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/containerd/containerd v1.3.3 // indirect | ||
| github.com/docker/cli v0.0.0-20200312141509-ef2f64abbd37 // indirect | ||
| github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7 | ||
| github.com/buildpacks/imgutil v0.0.0-20210609210403-3145c7480cde |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:golang/golang.org/x/crypto@0.0.0-20190308221718-c2843e01d9a2
0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/buildpacks/imgutil@0.0.0-20210609210403-3145c7480cde
SEVERE Vulnerabilities (1)
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/google/go-cmp v0.5.6 | ||
| github.com/google/go-containerregistry v0.5.1 | ||
| github.com/google/go-containerregistry v0.5.2-0.20210604130445-3bfab55f3bd9 |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:golang/golang.org/x/crypto@0.0.0-20190308221718-c2843e01d9a2
0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/google/go-containerregistry@0.5.2-0.20210604130445-3bfab55f3bd9
SEVERE Vulnerabilities (1)
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/heroku/color v0.0.6 | ||
| github.com/mattn/go-colorable v0.1.8 // indirect | ||
| github.com/mattn/go-isatty v0.0.13 // indirect | ||
| github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:golang/golang.org/x/crypto@0.0.0-20190308221718-c2843e01d9a2
0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/moby/term@0.0.0-20210610120745-9d4ed1856297
SEVERE Vulnerabilities (1)
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| golang.org/x/net v0.0.0-20210610132358-84b48f89b13b // indirect | ||
| golang.org/x/sync v0.0.0-20210220032951-036812b2e83c | ||
| golang.org/x/sys v0.0.0-20210608053332-aa57babbf139 | ||
| google.golang.org/genproto v0.0.0-20210610141715-e7a9b787a5a4 // indirect |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:golang/golang.org/x/crypto@0.0.0-20190308221718-c2843e01d9a2
0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/google.golang.org/genproto@0.0.0-20210610141715-e7a9b787a5a4
SEVERE Vulnerabilities (1)
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/containerd/containerd v1.3.3 // indirect | ||
| github.com/docker/cli v0.0.0-20200312141509-ef2f64abbd37 // indirect | ||
| github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7 | ||
| github.com/buildpacks/imgutil v0.0.0-20210609210403-3145c7480cde |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:golang/golang.org/x/crypto@0.0.0-20171113213409-9f005a07e0d3
0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/buildpacks/imgutil@0.0.0-20210609210403-3145c7480cde
SEVERE Vulnerabilities (1)
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
| github.com/google/go-cmp v0.5.6 | ||
| github.com/google/go-containerregistry v0.5.1 | ||
| github.com/google/go-containerregistry v0.5.2-0.20210604130445-3bfab55f3bd9 |
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:golang/golang.org/x/crypto@0.0.0-20171113213409-9f005a07e0d3
0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/google/go-containerregistry@0.5.2-0.20210604130445-3bfab55f3bd9
SEVERE Vulnerabilities (1)
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
(at-me in a reply with help or ignore)
|
@imjasonh Linux passed 🎉 Windows 😬 I think we need something like
|
Also use module-aware go install to install version-pinned Go tooling, instead of using tools/tools.go, and remove the separate Go module in tools/ This change requires Go 1.16+ to build, so also update all CI configs to use 1.16. Signed-off-by: Jason Hall <jasonhall@redhat.com>
Codecov Report
@@ Coverage Diff @@
## main #628 +/- ##
==========================================
- Coverage 65.10% 64.90% -0.20%
==========================================
Files 53 52 -1
Lines 3676 3623 -53
==========================================
- Hits 2393 2351 -42
+ Misses 1031 1023 -8
+ Partials 252 249 -3
Flags with carried forward coverage won't be shown. Click here to find out more. |
No worries! Since the conflict was just on I also took this opportunity to squash commits. |
Signed-off-by: Jason Hall <jasonhall@redhat.com>
|
@imjasonh I think we might have lost the fix for this Windows error in the squash: Do you remember what it was? If not, I can grab a Windows environment. |
Signed-off-by: Jason Hall <jasonhall@redhat.com>
I'm not sure I understand what changed. The only changes I made here were:
This seems to have caused the I've pushed another commit that might fix this, but I'm a bit grasping at straws here. If someone knows more about how Windows works that might be helpful. |
Signed-off-by: Jason Hall <jasonhall@redhat.com>
|
The latest failure is: It only failed on Windows, but looking briefly at the test I'm not sure how that would be platform-dependent, or how it could be related to my change. 🤔 Any ideas? edit: seems like a flake? |
@imjasonh I'm of that opinion as well. Let's merge this! Thank you so much for all the effort in getting this through! |
Picks up buildpacks/imgutil#124, upgrades the docker/docker dep to v20.10.7, drops pinned x/sys dep
Signed-off-by: Jason Hall jasonhall@redhat.com
cc @natalieparellano