Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix cve-2020-29652 #204

Merged
merged 2 commits into from Jul 8, 2021
Merged

Fix cve-2020-29652 #204

merged 2 commits into from Jul 8, 2021

Conversation

MichaelScheetz-HPE
Copy link
Contributor

golang.org/x/crypto | CVE-2020-29652 | HIGH | v0.0.0-20200622213623-75b288015ac9

MichaelScheetz-HPE and others added 2 commits July 7, 2021 09:16
@MichaelScheetz-HPE
Fix cve-2020-29652
718c2f9 
golang.org/x/crypto | CVE-2020-29652   | HIGH     | v0.0.0-20200622213623-75b288015ac9
@dnephin
remove x/crypto
b779ab6 
After fixing the lint error I ran 'go mod tidy', and it removed the dependency.

Very nice.
dnephin
dnephin approved these changes Jul 8, 2021
View reviewed changes
Copy link
Member

@dnephin dnephin left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR!

I believe gotestsum never used the code identified in that CVE, but I understand the desire to remove the alert from any scans.

Thankfully it looks like someone did some work to move the one function that required x/crypto into x/term, and the linter told us where to find it. After running go mod tidy the x/crypto dependency is gone.

I pushed an additional commit with that change.

@dnephin dnephin merged commit 1a94380 into gotestyourself:main Jul 8, 2021
@MichaelScheetz-HPE
Copy link
Contributor Author

Thanks for patching that up and merging!

@MichaelScheetz-HPE MichaelScheetz-HPE deleted the patch-1 branch July 16, 2021 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dnephin dnephin dnephin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@MichaelScheetz-HPE @dnephin