Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update go.mod/go.sum using go mod tidy to avoid false positive in vulnerability scan #1071

Merged
merged 1 commit into from
Mar 19, 2023
Merged

Update go.mod/go.sum using go mod tidy to avoid false positive in vulnerability scan #1071

merged 1 commit into from
Mar 19, 2023

Conversation

tremblaysimon
Copy link
Contributor

Fixes Or Enhances

Using trivy scanner reported vulnerability from old golang.org/x/net v0.0.0. I think it's because the go.sum wasn't properly updated and the vulnerable version isn't used anymore even in transitive dependencies.

┌──────────────────┬────────────────┬──────────┬────────────────────────────────────┬─────────────────────────────────────┬───────────────────────────────────────────────────┐
11:08:34│     Library      │ Vulnerability  │ Severity │         Installed Version          │            Fixed Version            │                       Title                       │
11:08:34├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼─────────────────────────────────────┼───────────────────────────────────────────────────┤
11:08:34│ golang.org/x/net │ CVE-2022-41721 │ HIGH     │ v0.0.0-20220722155237-a158d28d115b │ 0.1.1-0.20221104162952-702349b0e862 │ A request smuggling attack is possible when using │
11:08:34│                  │                │          │                                    │                                     │ MaxBytesHandler. Whe ...                          │
11:08:34│                  │                │          │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-41721        │
11:08:34└──────────────────┴────────────────┴──────────┴────────────────────────────────────┴─────────────────────────────────────┴───────────────────────────────────────────────────┘

Reference: https://pkg.go.dev/vuln/GO-2023-1495

Make sure that you've checked the boxes below before you submit PR:

  • Tests exist or have been written that cover this particular change.

@go-playground/validator-maintainers

@tremblaysimon tremblaysimon requested a review from a team as a code owner February 18, 2023 03:02
@coveralls
Copy link

Coverage Status

Coverage: 74.191%. Remained the same when pulling 85e5a0f on tremblaysimon:updateGoModules into 8f07b03 on go-playground:master.

@tremblaysimon tremblaysimon mentioned this pull request Feb 20, 2023
Closed
1 task
@tremblaysimon
Copy link
Contributor Author

@deankarn, I don't know if it's possible to get this merged if it's ok for you. Thank you very much.

Simon

@deankarn deankarn merged commit c242c49 into go-playground:master Mar 19, 2023
@tremblaysimon tremblaysimon deleted the updateGoModules branch March 19, 2023 23:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deankarn deankarn deankarn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tremblaysimon @coveralls @deankarn