-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
go.mod: fix for vulnerable yaml.v3 and promhttp packages #9
Conversation
Thanks! I'll |
I'll update the Go version used by the GitHub Action too, as it uses Go 1.21.X. I've run $ go install golang.org/x/vuln/cmd/govulncheck@latest
$ govulncheck ./...
Scanning your code and 522 packages across 50 dependent modules for known vulnerabilities...
Vulnerability #1: GO-2024-2687
HTTP/2 CONTINUATION flood in net/http
More info: https://pkg.go.dev/vuln/GO-2024-2687
Module: golang.org/x/net
Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
Fixed in: golang.org/x/net@v0.23.0
Vulnerability #2: GO-2023-1571
Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
More info: https://pkg.go.dev/vuln/GO-2023-1571
Module: golang.org/x/net
Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
Fixed in: golang.org/x/net@v0.7.0
=== Informational ===
Found 5 vulnerabilities in packages that you import, but there are no call
stacks leading to the use of these vulnerabilities. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability #1: GO-2023-2102
HTTP/2 rapid reset can cause excessive work in net/http
More info: https://pkg.go.dev/vuln/GO-2023-2102
Module: golang.org/x/net
Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
Fixed in: golang.org/x/net@v0.17.0
Vulnerability #2: GO-2022-1144
Excessive memory growth in net/http and golang.org/x/net/http2
More info: https://pkg.go.dev/vuln/GO-2022-1144
Module: golang.org/x/net
Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
Fixed in: golang.org/x/net@v0.4.0
Vulnerability #3: GO-2022-0969
Denial of service in net/http and golang.org/x/net/http2
More info: https://pkg.go.dev/vuln/GO-2022-0969
Module: golang.org/x/net
Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
Fixed in: golang.org/x/net@v0.0.0-20220906165146-f3363e06e74c
Vulnerability #4: GO-2022-0493
Incorrect privilege reporting in syscall and golang.org/x/sys/unix
More info: https://pkg.go.dev/vuln/GO-2022-0493
Module: golang.org/x/sys
Found in: golang.org/x/sys@v0.0.0-20210817190340-bfb29a6856f2
Fixed in: golang.org/x/sys@v0.0.0-20220412211240-33da011f77ad
Vulnerability #5: GO-2022-0288
Unbounded memory growth in net/http and golang.org/x/net/http2
More info: https://pkg.go.dev/vuln/GO-2022-0288
Module: golang.org/x/net
Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
Fixed in: golang.org/x/net@v0.0.0-20211209124913-491a49abca63
Your code is affected by 2 vulnerabilities from 1 module. Then, I ran: go get golang.org/x/net@latest
go mod tidy No more vulns:
I'll push a commit with the updated go.mod to your branch if that's OK. |
I've checked that GitHub Actions uses Go 1.22.2 by looking at the logs. It seems all good to go! I'll merge now. |
I have created the tag v0.3.2. The image and Helm chart should be available soon! |
v0.3.2 is ready!
Note: don't forget to remove the leading
|
Update the following packages to later release to remediate vulnerabilities.
github.com/prometheus/client_golang --> 1.11.1
gopkg.in/yaml.v3 --> 3.0.0-20220521103104-8f96da9f5d5e