Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run 'lint-install', Address golangci-lint errors #100

Merged
merged 4 commits into from
Aug 31, 2021
Merged

Run 'lint-install', Address golangci-lint errors #100

merged 4 commits into from
Aug 31, 2021

Conversation

tstromberg
Copy link
Contributor 

vagrant_test.go:64:24: response body must be closed (bodyclose)
		resp, err := http.Get("http://localhost:42114/healthz")
		                     ^
vagrant_test.go:176:23: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func registerHardware(ctx context.Context, cl *client.FullClient) error {
                      ^
make: *** [lint] Error 1

@tstromberg
Run 'lint-install', Address golangci-lint errors
6402b21 
Signed-off-by: Thomas Stromberg <t+github@stromberg.org>
@tstromberg
Run go mod tidy
1b99da6 
Signed-off-by: Thomas Stromberg <t+github@stromberg.org>
@tstromberg
Run gofumpt -s -w
0fcf45e 
Signed-off-by: Thomas Stromberg <t+github@stromberg.org>
@tstromberg tstromberg mentioned this pull request Aug 31, 2021
Open
14 tasks
sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
github.com/joho/godotenv v1.3.0
github.com/pkg/errors v0.9.1
github.com/tinkerbell/tink v0.0.0-20210315140655-1b178daeaeda
github.com/prometheus/client_golang v1.3.0 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:  

pkg:golang/github.com/gogo/protobuf@1.1.1

1 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/prometheus/client_golang@1.3.0

CRITICAL Vulnerabilities (1)

    [CVE-2021-3121] An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarsha...

    An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

    CVSS Score: 9.8

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 // indirect
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20201026171402-d4b8fe4fd877 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:  

pkg:golang/golang.org/x/net@0.0.0-20180826012351-8a410e7b638d

5 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/google.golang.org/genproto@0.0.0-20201026171402-d4b8fe4fd877

CRITICAL Vulnerabilities (5)
    CVE-2018-17143

    [CVE-2018-17143] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17848

    [CVE-2018-17848] Data Handling

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17847

    [CVE-2018-17847] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17142

    [CVE-2018-17142] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17846

    [CVE-2018-17846] Resource Management Errors

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20201026171402-d4b8fe4fd877 // indirect
google.golang.org/grpc v1.32.0 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:  

pkg:golang/golang.org/x/net@0.0.0-20180826012351-8a410e7b638d

5 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/google.golang.org/grpc@1.32.0

CRITICAL Vulnerabilities (5)
    CVE-2018-17143

    [CVE-2018-17143] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17848

    [CVE-2018-17848] Data Handling

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17847

    [CVE-2018-17847] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17142

    [CVE-2018-17142] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17846

    [CVE-2018-17846] Resource Management Errors

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20201026171402-d4b8fe4fd877 // indirect
google.golang.org/grpc v1.32.0 // indirect
google.golang.org/protobuf v1.25.0 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:  

pkg:golang/golang.org/x/net@0.0.0-20180826012351-8a410e7b638d

5 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/google.golang.org/protobuf@1.25.0

CRITICAL Vulnerabilities (5)
    CVE-2018-17143

    [CVE-2018-17143] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17848

    [CVE-2018-17848] Data Handling

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17847

    [CVE-2018-17847] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17142

    [CVE-2018-17142] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17846

    [CVE-2018-17846] Resource Management Errors

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 // indirect
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20201026171402-d4b8fe4fd877 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:  

pkg:golang/golang.org/x/net@0.0.0-20180724234803-3673e40ba225

5 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/google.golang.org/genproto@0.0.0-20201026171402-d4b8fe4fd877

CRITICAL Vulnerabilities (5)
    CVE-2018-17143

    [CVE-2018-17143] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17848

    [CVE-2018-17848] Data Handling

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17847

    [CVE-2018-17847] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17142

    [CVE-2018-17142] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17846

    [CVE-2018-17846] Resource Management Errors

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20201026171402-d4b8fe4fd877 // indirect
google.golang.org/grpc v1.32.0 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:  

pkg:golang/golang.org/x/net@0.0.0-20180724234803-3673e40ba225

5 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/google.golang.org/grpc@1.32.0

CRITICAL Vulnerabilities (5)
    CVE-2018-17143

    [CVE-2018-17143] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17848

    [CVE-2018-17848] Data Handling

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17847

    [CVE-2018-17847] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17142

    [CVE-2018-17142] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17846

    [CVE-2018-17846] Resource Management Errors

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20201026171402-d4b8fe4fd877 // indirect
google.golang.org/grpc v1.32.0 // indirect
google.golang.org/protobuf v1.25.0 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:  

pkg:golang/golang.org/x/net@0.0.0-20180724234803-3673e40ba225

5 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/google.golang.org/protobuf@1.25.0

CRITICAL Vulnerabilities (5)
    CVE-2018-17143

    [CVE-2018-17143] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17848

    [CVE-2018-17848] Data Handling

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17847

    [CVE-2018-17847] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17142

    [CVE-2018-17142] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17846

    [CVE-2018-17846] Resource Management Errors

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
github.com/joho/godotenv v1.3.0
github.com/pkg/errors v0.9.1
github.com/tinkerbell/tink v0.0.0-20210315140655-1b178daeaeda
github.com/prometheus/client_golang v1.3.0 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:golang/golang.org/x/crypto@0.0.0-20180904163835-0709b304e793

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/prometheus/client_golang@1.3.0

SEVERE Vulnerabilities (1)

    [CVE-2019-11840] Use of Insufficiently Random Values

    An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

    CVSS Score: 5.9

    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
github.com/joho/godotenv v1.3.0
github.com/pkg/errors v0.9.1
github.com/tinkerbell/tink v0.0.0-20210315140655-1b178daeaeda
github.com/prometheus/client_golang v1.3.0 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:golang/golang.org/x/crypto@0.0.0-20190308221718-c2843e01d9a2

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/prometheus/client_golang@1.3.0

SEVERE Vulnerabilities (1)

    [CVE-2019-11840] Use of Insufficiently Random Values

    An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

    CVSS Score: 5.9

    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
github.com/tinkerbell/tink v0.0.0-20210315140655-1b178daeaeda
github.com/prometheus/client_golang v1.3.0 // indirect
go.opencensus.io v0.22.2 // indirect
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:golang/golang.org/x/crypto@0.0.0-20190308221718-c2843e01d9a2

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/golang.org/x/crypto@0.0.0-20200820211705-5c72a883971a

SEVERE Vulnerabilities (1)

    [CVE-2019-11840] Use of Insufficiently Random Values

    An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

    CVSS Score: 5.9

    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
github.com/prometheus/client_golang v1.3.0 // indirect
go.opencensus.io v0.22.2 // indirect
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a // indirect
golang.org/x/net v0.0.0-20201021035429-f5854403a974 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:golang/golang.org/x/crypto@0.0.0-20190308221718-c2843e01d9a2

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/golang.org/x/net@0.0.0-20201021035429-f5854403a974

SEVERE Vulnerabilities (1)

    [CVE-2019-11840] Use of Insufficiently Random Values

    An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

    CVSS Score: 5.9

    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 // indirect
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20201026171402-d4b8fe4fd877 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:golang/golang.org/x/crypto@0.0.0-20190308221718-c2843e01d9a2

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/google.golang.org/genproto@0.0.0-20201026171402-d4b8fe4fd877

SEVERE Vulnerabilities (1)

    [CVE-2019-11840] Use of Insufficiently Random Values

    An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

    CVSS Score: 5.9

    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20201026171402-d4b8fe4fd877 // indirect
google.golang.org/grpc v1.32.0 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:golang/golang.org/x/crypto@0.0.0-20190308221718-c2843e01d9a2

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/google.golang.org/grpc@1.32.0

SEVERE Vulnerabilities (1)

    [CVE-2019-11840] Use of Insufficiently Random Values

    An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

    CVSS Score: 5.9

    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 31, 2021
View reviewed changes
releases/go.mod
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20201026171402-d4b8fe4fd877 // indirect
google.golang.org/grpc v1.32.0 // indirect
google.golang.org/protobuf v1.25.0 // indirect
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:golang/golang.org/x/crypto@0.0.0-20190308221718-c2843e01d9a2

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/google.golang.org/protobuf@1.25.0

SEVERE Vulnerabilities (1)

    [CVE-2019-11840] Use of Insufficiently Random Values

    An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

    CVSS Score: 5.9

    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

(at-me in a reply with help or ignore)

@tstromberg
Run prettier on .golangci.yml
acc8351 
Signed-off-by: Thomas Stromberg <t+github@stromberg.org>
@tstromberg tstromberg merged commit eec3a81 into tinkerbell:master Aug 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift left review comments

@jacobweinstock jacobweinstock jacobweinstock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tstromberg @jacobweinstock