Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go.mod: fix for vulnerable yaml.v3 and promhttp packages #9

Merged
merged 4 commits into from
Apr 23, 2024
Merged

go.mod: fix for vulnerable yaml.v3 and promhttp packages #9

merged 4 commits into from
Apr 23, 2024

Conversation

N0peR
Copy link
Contributor

@N0peR N0peR commented Apr 23, 2024

Update the following packages to later release to remediate vulnerabilities.

github.com/prometheus/client_golang --> 1.11.1
gopkg.in/yaml.v3 --> 3.0.0-20220521103104-8f96da9f5d5e

@N0peR N0peR changed the title fix for vulnerable yaml.v3 and promhttp packages go.mod: fix for vulnerable yaml.v3 and promhttp packages Apr 23, 2024
@maelvls
Copy link
Owner

maelvls commented Apr 23, 2024

Thanks! I'll go mod tidy and approve the PR.

@maelvls
Copy link
Owner

maelvls commented Apr 23, 2024
edited
Loading

I'll update the Go version used by the GitHub Action too, as it uses Go 1.21.X.

I've run govulncheck with the latest Go version (Go 1.22.2) and there are still two vulns: GO-2024-2687 and GO-2023-1571.

$ go install golang.org/x/vuln/cmd/govulncheck@latest
$ govulncheck ./...
Scanning your code and 522 packages across 50 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
    Fixed in: golang.org/x/net@v0.23.0

Vulnerability #2: GO-2023-1571
    Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2023-1571
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
    Fixed in: golang.org/x/net@v0.7.0

=== Informational ===

Found 5 vulnerabilities in packages that you import, but there are no call
stacks leading to the use of these vulnerabilities. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-2102
    HTTP/2 rapid reset can cause excessive work in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2102
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
    Fixed in: golang.org/x/net@v0.17.0

Vulnerability #2: GO-2022-1144
    Excessive memory growth in net/http and golang.org/x/net/http2
  More info: https://pkg.go.dev/vuln/GO-2022-1144
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
    Fixed in: golang.org/x/net@v0.4.0

Vulnerability #3: GO-2022-0969
    Denial of service in net/http and golang.org/x/net/http2
  More info: https://pkg.go.dev/vuln/GO-2022-0969
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
    Fixed in: golang.org/x/net@v0.0.0-20220906165146-f3363e06e74c

Vulnerability #4: GO-2022-0493
    Incorrect privilege reporting in syscall and golang.org/x/sys/unix
  More info: https://pkg.go.dev/vuln/GO-2022-0493
  Module: golang.org/x/sys
    Found in: golang.org/x/sys@v0.0.0-20210817190340-bfb29a6856f2
    Fixed in: golang.org/x/sys@v0.0.0-20220412211240-33da011f77ad

Vulnerability #5: GO-2022-0288
    Unbounded memory growth in net/http and golang.org/x/net/http2
  More info: https://pkg.go.dev/vuln/GO-2022-0288
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
    Fixed in: golang.org/x/net@v0.0.0-20211209124913-491a49abca63

Your code is affected by 2 vulnerabilities from 1 module.

Then, I ran:

go get golang.org/x/net@latest
go mod tidy

No more vulns:

$ govulncheck ./...
Scanning your code and 521 packages across 51 dependent modules for known vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.

I'll push a commit with the updated go.mod to your branch if that's OK.

@maelvls
Copy link
Owner

maelvls commented Apr 23, 2024
edited
Loading

I've checked that GitHub Actions uses Go 1.22.2 by looking at the logs. It seems all good to go! I'll merge now.

@maelvls maelvls merged commit b9e521b into maelvls:main Apr 23, 2024
1 check passed
@maelvls
Copy link
Owner

maelvls commented Apr 23, 2024

I have created the tag v0.3.2. The image and Helm chart should be available soon!

@maelvls
Copy link
Owner

maelvls commented Apr 23, 2024

v0.3.2 is ready!

helm upgrade --install secret-transform -n secret-transform --create-namespace \
  oci://ghcr.io/maelvls/charts/secret-transform --version 0.3.2

Note: don't forget to remove the leading v from the git tag. Sorry about the inconsistency between the git tag and the image container tag and Helm chart version... This is because Helm doesn't work well with a leading v (e.g., impossible to install the latest version if v is in the version).

  • Helm Chart version: 0.3.2
  • Image container tag: 0.3.2
  • Git tag: v0.3.2

This was referenced Apr 25, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@N0peR @maelvls