search

Lusitaniae / apache_exporter

Prometheus exporter for Apache.
MIT License
320 stars 146 forks source link

Error for go version in security checking #142

Closed ns-fhe closed 1 year ago

ns-fhe commented 2 years ago

We are scanning this package for security purpose, and below is the scanning result:

https://groups.google.com/g/golang-announce","In net/http in Go before 1.18.6 and 1.19.x before 1., attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.",,,,7.5, XRAY-248630,CVE-2022-30633,,,7.5,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,go://github.com/golang/go:1.16.10,sha25666ce0af3edde24e24426ef9e4b35e9abb8bccc01deac9a8a2e970d51b8cce384.tar.gz/tmp/-0.11.0.linux-amd64/apache_exporter/apache_exporter/github.com/lang/go/go,Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.,"1.17.12 1.18.4",go,High,2022-08-11,JFrog,docker://webui:99.0.0.9955,stork-develop-fedramp-docker-origin/webui/99.0.0.9955/,"docker://webui:99.0.0.9955 generic://sha256:66ce0af3edde24e24426ef9e4b35e9abb8bccc01deac9a8a2e970d51b8cce384/sha25666ce0af3edde24e24426ef9e4b35e9abb8bccc01deac9a8a2e970d51b8cce384.tar.gz

Can this be fixed?

Lusitaniae commented 2 years ago

Would you like to submit a PR upgrading go version and maybe module updates too?

mator commented 1 year ago

does changing version in ./.circleci/config.yml and .promu.yml and go.mod should be enough ? like:

apache_exporter$ git diff
diff --git a/.circleci/config.yml b/.circleci/config.yml
index a05d49e..c88b275 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -6,7 +6,7 @@ jobs:
     # Whenever the Go version is updated here, .promu.yml
     # should also be updated.
     docker:
-      - image: circleci/golang:1.16
+      - image: cimg/go:1.19.3
     steps:
       - prometheus/setup_environment
       - setup_remote_docker
@@ -47,4 +47,4 @@ workflows:
             tags:
               only: /^v[0-9]+(\.[0-9]+){2}(-.+|[^-.]*)$/
             branches:
-              ignore: /.*/
\ No newline at end of file
+              ignore: /.*/
diff --git a/.promu.yml b/.promu.yml
index 7ed24ae..a419c6d 100644
--- a/.promu.yml
+++ b/.promu.yml
@@ -1,7 +1,7 @@
 go:
     # Whenever the Go version is updated here,
     # .circle/config.yml should also be updated.
-    version: 1.16
+    version: 1.19
     # cgo: false
 repository:
     path: github.com/Lusitaniae/apache_exporter
diff --git a/go.mod b/go.mod
index 04f08b5..67cdf4e 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/Lusitaniae/apache_exporter

-go 1.14
+go 1.19

 require (
        github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
ns-fhe commented 1 year ago

Thanks!

Lusitaniae commented 1 year ago

should work

you may need to update go.sum too

blkperl commented 1 year ago

This was fixed in https://github.com/Lusitaniae/apache_exporter/commit/b56c620eafa0d914c5f9d5d0774f898767137a8e.