Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Referenced library at go.sum: CVE-2020-26160 #2307

Closed
odacremolbap opened this issue Oct 6, 2021 · 5 comments
Closed

Referenced library at go.sum: CVE-2020-26160 #2307

odacremolbap opened this issue Oct 6, 2021 · 5 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt.

Comments

@odacremolbap
Copy link
Contributor

There is an indirect library referenced at go.sum that has been flagged at CVE-2020-26160

pkg/go.sum

Line 136 in a00ba48

github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=

It should be tracked to find the direct dependencies that use it and upgrade them.

/kind bug
/kind cleanup
@knative-prow-robot knative-prow-robot added kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Oct 6, 2021
@markusthoemmes
Copy link
Contributor

This has been fixed quite a while ago. go.sum is not indicative of the dependencies actually used, go.mod is (I believe).

@odacremolbap
Copy link
Contributor Author

I think this is a transient dependency, by issuing a go mod graph there seems to be a couple paths to pkg importing the library.
I'll check if this has been a concern at kubernetes.

github.com/spf13/viper@v1.7.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/spf13/cobra@v1.1.1 github.com/spf13/viper@v1.7.0
go.etcd.io/etcd@v0.5.0-alpha.5.0.20200910180754-dd1b699fc489 github.com/spf13/cobra@v0.0.3
k8s.io/apiserver@v0.21.4 go.etcd.io/etcd@v0.5.0-alpha.5.0.20200910180754-dd1b699fc489
k8s.io/apiextensions-apiserver@v0.21.4 github.com/spf13/cobra@v1.1.1
k8s.io/apiextensions-apiserver@v0.21.4 go.etcd.io/etcd@v0.5.0-alpha.5.0.20200910180754-dd1b699fc489
go.etcd.io/etcd@v0.5.0-alpha.5.0.20200910180754-dd1b699fc489 github.com/dgrijalva/jwt-go@v3.2.0+incompatible

@markusthoemmes
Copy link
Contributor

It has, yes. I myself have contributed one of the necessary fixes in kubernetes/kubernetes#95692 and another was kubernetes/kubernetes#102755. Note that neither remove the respective dependency from go.sum but only from go.mod and modules.txt. Not active code in Knative is importing github.com/dgrijalva/jwt-go either directly or transitively.

@odacremolbap
Copy link
Contributor Author

Yes, the code should not be used here, but a vulnerability analysis might flag all sources importing it.
I think that comes from cobra dependency at apiextensions, I'll close this issue since the action seems to be somewhere else.

Thanks for clarifying.

@markusthoemmes
Copy link
Contributor

FWIW, neither snyk nor Github Security is flagging our repos, so I think we're golden.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@markusthoemmes @odacremolbap @knative-prow-robot