search

DataDog / dd-trace-go

Datadog Go Library including APM tracing, profiling, and security monitoring.
https://docs.datadoghq.com/tracing/
Other
608 stars 420 forks source link

github.com/golang/protobuf/proto was deprecated #1136

Open ebilling opened 2 years ago

ebilling commented 2 years ago

The library github.com/golang/protobuf/proto was deprecated over a year ago.

The new home is google.golang.org/protobuf/proto

Also, "github.com/golang/protobuf/jsonpb" has been deprecated by "google.golang.org/protobuf/encoding/protojson"

I have updated quite a few repos recently and I'll try to get a PR to you soon.

kaitlinr commented 2 years ago

I'd just like to bump this issue! We're seeing some security vulns from this package related to golang.org/x/crypto and golang.org/x/text.

I think this would also involve updating DataDog/sketches-go to 1.3.0. This means https://github.com/DataDog/dd-trace-go/pull/1051 would need to be merged first.

image

dianashevchenko commented 2 years ago

1051 is now merged, we'll bump protobuf in a moment 🙌

radykal-com commented 1 year ago

Any update on this? the deprecated protobuf module is still in go.mod

dogeviper commented 1 year ago

Hi, seems like the deprecated libraries are still here. Any update as to when the fix will be pushed out?

Seeing the following vulnerabilities:

http://golang.org/x/crypto/ssh - Improper Signature Verification
Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › github.com/hashicorp/consul/api@v1.0.0 › github.com/hashicorp/serf@v0.8.2 › github.com/hashicorp/mdns@v1.0.0 › golang.org/x/crypto@v0.0.0-20181029021203-45a5f77698d3

Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › k8s.io/client-go@v0.17.0 › github.com/gophercloud/gophercloud@v0.1.0 › golang.org/x/crypto@v0.0.0-20190211182817-74369b46fc67
Fixed in golang.org/x/crypto/ssh@0.0.0-20200220183623-bac4c82f6975

http://github.com/emicklei/go-restful - Authorization Bypass
Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › k8s.io/api@v0.17.0 › k8s.io/apimachinery@v0.17.0 › k8s.io/kube-openapi@v0.0.0-20191107075043-30be4d16710a › github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633
Fixed in github.com/emicklei/go-restful@2.16.0

http://github.com/emicklei/go-restful/v3 - Authorization Bypass
Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › k8s.io/api@v0.17.0 › k8s.io/apimachinery@v0.17.0 › k8s.io/kube-openapi@v0.0.0-20191107075043-30be4d16710a › github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633
Fixed in github.com/emicklei/go-restful/v3@3.8.0

http://github.com/emicklei/go-restful/v3 - Authorization Bypass Through User-Controlled Key
Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › k8s.io/api@v0.17.0 › k8s.io/apimachinery@v0.17.0 › k8s.io/kube-openapi@v0.0.0-20191107075043-30be4d16710a › github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633
Fixed in github.com/emicklei/go-restful/v3@3.8.0

http://golang.org/x/net/html - Denial of Service (DoS)
Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › k8s.io/api@v0.17.0 › k8s.io/apimachinery@v0.17.0 › k8s.io/kube-openapi@v0.0.0-20191107075043-30be4d16710a › golang.org/x/net@v0.0.0-20170114055629-f2499483f923
Fixed in golang.org/x/net/html@0.0.0-20190125002852-4b62a64f59f7

@dianashevchenko fyi

katiehockman commented 1 year ago

We use govulncheck as the source of truth for possible vulnerabilities in our code. So that means that our go.mod file could require a version of a module that has a vulnerability in a part of the module which isn't reachable from our code. We do this to avoid requiring a higher version in our go.mod file than what is required for users to rely on our code in a secure way.

https://github.com/DataDog/dd-trace-go/blob/main/SECURITY.md#reporting-a-vulnerability

However, if the tool has missed any vulnerabilities that you feel could affect customers, please file a support ticket so we can address that quickly.

katiehockman commented 1 year ago

As far as upgrading github.com/golang/protobuf/proto, we are actively looking into that and will loop back around soon.

zarirhamza commented 1 year ago

Just jumping in real quick - We’re looking into right now and it seems that since we support an older version of one of the grpc libraries, we’re unable to remove the dependency right away without looking into some alternatives. Rest assured we are looking into it and will continue to keep you updated.

Teko012 commented 1 month ago

@piochelepiotr It seems like after https://github.com/DataDog/dd-trace-go/pull/2694, it is still requred. Do you know what causes this, and can it be solved?

darccio commented 3 weeks ago

@Teko012 As we import dependencies for our contribs, some of them still use it. Specifically, k8s.io/client-go uses github.com/golang/protobuf on purpose. We'll remove or update other dependencies, like richardartoul/molecule but we'll have to wait for Kubernetes to remove it. They have an issue where they track their effort to move away from it too.

We are also working on dd-trace-go v2, that isolates contribs as nested modules, so reducing the impact of this kind of dependencies that are deprecated and, sometimes, go stale in other repositories.

Keep in mind that you are not affected unless you import a package that pulls directly the deprecated library or another one that pulls it.