Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/tools: update golang.org/x/net dependency to v0.17.0 to patch CVE-2023-44487 and CVE-2023-39325 #63577

Closed
lucasrod16 opened this issue Oct 16, 2023 · 1 comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Tools This label describes issues relating to any tools in the x/tools repository.
Milestone

Comments

@lucasrod16
Copy link

lucasrod16 commented Oct 16, 2023

GHSA-qppj-fm5r-hxr3
GHSA-4374-p667-p6c8

What version of Go are you using (go version)?

$ go version
go version go1.21.3 darwin/arm64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=''
GOARCH='arm64'
GOBIN='/Users/lucas/go/bin'
GOCACHE='/Users/lucas/Library/Caches/go-build'
GOENV='/Users/lucas/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/lucas/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/lucas/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.21.3/libexec'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.21.3/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.21.3'
GCCGO='gccgo'
AR='ar'
CC='cc'
CXX='c++'
CGO_ENABLED='1'
GOMOD='/Users/lucas/Code/defenseunicorns/zarf-init-aws/credential-helper/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/yy/c1vw1yp55n1bkj48n5vds7740000gn/T/go-build1393718305=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

  1. Generate a package-based Software Bill Of Materials (SBOM) and scan it for CVEs
$ zarf tools sbom packages --exclude './iam' . -o json | grype --fail-on low
 ✔ Indexed .               
 ✔ Cataloged packages      [1461 packages]
NAME              INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
golang.org/x/net  v0.15.0    0.17.0    go-module  GHSA-qppj-fm5r-hxr3  Medium    
golang.org/x/net  v0.15.0    0.17.0    go-module  GHSA-4374-p667-p6c8  Medium
1 error occurred:
        * discovered vulnerabilities at or above the severity threshold
  1. Determine what dependency is using golang.org/x/net@v0.15.0
$ go mod graph | grep golang.org/x/net@v0.15.0
golang.org/x/tools@v0.13.0 golang.org/x/net@v0.15.0

What did you expect to see?

There is a released version of x/tools that uses x/net version v0.17.0

What did you see instead?

The current latest version of x/tools (v0.14.0) is on x/net version v0.16.0

@gopherbot gopherbot added the Tools This label describes issues relating to any tools in the x/tools repository. label Oct 16, 2023
@gopherbot gopherbot added this to the Unreleased milestone Oct 16, 2023
@cagedmantis cagedmantis changed the title x/tools: Update golang.org/x/net dependency to v0.17.0 to patch CVE-2023-44487 and CVE-2023-39325 x/tools: update golang.org/x/net dependency to v0.17.0 to patch CVE-2023-44487 and CVE-2023-39325 Oct 19, 2023
@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 19, 2023
@cagedmantis
Copy link
Contributor

cc @golang/tools-team @golang/release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Tools This label describes issues relating to any tools in the x/tools repository.
Projects
None yet
Development

No branches or pull requests

3 participants