You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Deviation from expected behavior:
The govulncheck CI action is failing since yesterday. It appears the tool is scanning for new issues and reporting the following. I don't see any urgent issues to fix, we just need to get the CI passing again.
Vulnerability #1: GO-2024-2610
Errors returned from JSON marshaling may break template escaping in
html/template
More info: https://pkg.go.dev/vuln/GO-2024-2610
Standard library
Found in: html/template@go1.21.5
Fixed in: html/template@go1.21.8
Example traces found:
Error: #1: pkg/operator/ceph/file/mds/livenessprobe.go:53:21: mds.renderProbe calls template.Template.Execute
Vulnerability #2: GO-2024-2600
Incorrect forwarding of sensitive headers and cookies on HTTP redirect in
net/http
More info: https://pkg.go.dev/vuln/GO-2024-2600
Standard library
Found in: net/http@go1.21.5
Fixed in: net/http@go1.21.8
Example traces found:
Error: #1: pkg/operator/ceph/object/admin.go:79:26: object.debugHTTPClient.Do calls http.Client.Do
Error: #2: tests/framework/installer/settings.go:64:27: installer.readManifestFromURL calls http.Get
Vulnerability #3: GO-2024-2599
Memory exhaustion in multipart form parsing in net/textproto and net/http
More info: https://pkg.go.dev/vuln/GO-2024-2599
Standard library
Found in: net/textproto@go1.21.5
Fixed in: net/textproto@go1.21.8
Example traces found:
Error: #1: pkg/operator/ceph/object/admin.go:72:38: object.debugHTTPClient.Do calls httputil.DumpRequestOut, which eventually calls textproto.Reader.ReadLine
Error: #2: pkg/operator/ceph/object/admin.go:72:38: object.debugHTTPClient.Do calls httputil.DumpRequestOut, which eventually calls textproto.Reader.ReadMIMEHeader
Vulnerability #4: GO-2024-2598
Verify panics on certificates with an unknown public key algorithm in
crypto/x509
More info: https://pkg.go.dev/vuln/GO-2024-2598
Standard library
Found in: crypto/x509@go1.21.5
Fixed in: crypto/x509@go1.21.8
Example traces found:
Error: #1: pkg/operator/ceph/object/s3-handlers.go:[170](https://github.com/rook/rook/actions/runs/8164968994/job/22321623536#step:3:183):23: object.S3Agent.GetObjectInBucket calls bytes.Buffer.ReadFrom, which eventually calls x509.Certificate.Verify
Your code is affected by 4 vulnerabilities from the Go standard library.
This scan also found 0 vulnerabilities in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
Error: Process completed with exit code 3.
Is this a bug report or feature request?
Deviation from expected behavior:
The govulncheck CI action is failing since yesterday. It appears the tool is scanning for new issues and reporting the following. I don't see any urgent issues to fix, we just need to get the CI passing again.
See this run:
Expected behavior:
Passing security scan
How to reproduce it (minimal and precise):
See the Golangci-lint action history since yesterday.
The text was updated successfully, but these errors were encountered: