Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Bump Dependencies Due To Vulnerability Findings #64

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

chore: Bump Dependencies Due To Vulnerability Findings #64

wants to merge 2 commits into from

Conversation

clavinjune
Copy link

@clavinjune clavinjune commented Oct 17, 2024
edited
Loading

Before 
go run golang.org/x/vuln/cmd/govulncheck@latest -show verbose ./...
Scanning your code and 381 packages across 50 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2911
    go-grpc-compression has a zstd decompression bombing vulnerability in
    github.com/mostynb/go-grpc-compression
  More info: https://pkg.go.dev/vuln/GO-2024-2911
  Module: github.com/mostynb/go-grpc-compression
    Found in: github.com/mostynb/[email protected]
    Fixed in: github.com/mostynb/[email protected]
    Example traces found:
      #1: router/producer_router.go:298:39: router.producerRouter.handleProduce calls producer.producerClient.Produce, which eventually calls zstd.compressor.Compress
      #2: router/producer_router.go:298:39: router.producerRouter.handleProduce calls producer.producerClient.Produce, which eventually calls zstd.compressor.Decompress
      #3: router/producer_router.go:17:2: router.init calls zstd.init
      #4: router/producer_router.go:298:39: router.producerRouter.handleProduce calls producer.producerClient.Produce, which eventually calls zstd.zstdWriteCloser.Close
      #5: router/producer_router.go:298:39: router.producerRouter.handleProduce calls producer.producerClient.Produce, which eventually calls zstd.zstdWriteCloser.Write

Vulnerability #2: GO-2022-0322
    Uncontrolled resource consumption in github.com/prometheus/client_golang
  More info: https://pkg.go.dev/vuln/GO-2022-0322
  Module: github.com/prometheus/client_golang
    Found in: github.com/prometheus/[email protected]
    Fixed in: github.com/prometheus/[email protected]
    Example traces found:
      #1: main.go:84:42: barito.main calls promhttp.Handler
      #2: router/kibana_router.go:120:32: router.kibanaRouter.ServeHTTP calls reverseproxy.ReverseProxy.ServeHTTP, which eventually calls promhttp.flusherDelegator.Flush
      #3: router/kibana_router.go:213:22: router.kibanaRouter.ServeElasticsearch calls io.Copy, which eventually calls promhttp.readerFromDelegator.ReadFrom
      #4: router/authentication_middleware.go:139:10: router.SSOClient.HandleCallback calls promhttp.responseWriterDelegator.Write
      #5: router/kibana_router.go:212:15: router.kibanaRouter.ServeElasticsearch calls promhttp.responseWriterDelegator.WriteHeader
      #6: main.go:89:2: barito.main calls http.ListenAndServe, which eventually calls promhttp.sanitizeMethod

=== Package Results ===

Vulnerability #1: GO-2024-2978
    Private tokens could appear in logs if context containing gRPC metadata is
    logged in google.golang.org/grpc
  More info: https://pkg.go.dev/vuln/GO-2024-2978
  Module: google.golang.org/grpc
    Found in: google.golang.org/[email protected]
    Fixed in: google.golang.org/[email protected]

=== Module Results ===

No other vulnerabilities found.

Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 1 vulnerability in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
exit status 3
After 
go run golang.org/x/vuln/cmd/govulncheck@latest -show verbose ./...
Scanning your code and 383 packages across 50 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

No vulnerabilities found.

@clavinjune
chore: execute gofmt -w -s
9a9699d 
Signed-off-by: clavinjune <[email protected]>
@clavinjune clavinjune self-assigned this Oct 17, 2024
@clavinjune clavinjune marked this pull request as draft October 17, 2024 11:16
@clavinjune clavinjune changed the title Draft: chore: Bump Dependencies Due To Vulnerability Findings chore: Bump Dependencies Due To Vulnerability Findings Oct 17, 2024
@clavinjune
chore: bump dependencies
98943ca 
Signed-off-by: clavinjune <[email protected]>
@clavinjune clavinjune marked this pull request as ready for review October 17, 2024 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bentol bentol Awaiting requested review from bentol

@fadlinurhasan fadlinurhasan Awaiting requested review from fadlinurhasan

@Abhinav1299 Abhinav1299 Awaiting requested review from Abhinav1299

Assignees

@clavinjune clavinjune

Labels
hacktoberfest-accepted
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@clavinjune