search

Yubico / yubihsm-connector

https://developers.yubico.com/yubihsm-connector/
Apache License 2.0
30 stars 13 forks source link

tidy and update go dependencies #34

Closed 06kellyjac closed 2 years ago

06kellyjac commented 2 years ago

The main reason to tidy (and add go version to go mod) is because in go 1.17 they changed the way it resolves modules and formats go.mod etc

We were getting inconsistent vendoring errors in https://github.com/NixOS/nixpkgs/pull/169682

Since you're releasing with 1.17 I've tidied using the 1.17 rules (go mod tidy -compat=1.17)

github.com/Yubico/yubihsm-connector imports
    gopkg.in/yaml.v2 tested by
    gopkg.in/yaml.v2.test imports
    gopkg.in/check.v1 imports
    github.com/kr/pretty loaded from github.com/kr/pretty@v0.1.0,
    but go 1.16 would select v0.2.0

To upgrade to the versions selected by go 1.16:
    go mod tidy -go=1.16 && go mod tidy -go=1.17
If reproducibility with go 1.16 is not needed:
    go mod tidy -compat=1.17
For other options, see:
    https://golang.org/doc/modules/pruning

While I was updating the go.mod and go.sum files I thought I'd also update the dependencies I also manually bumped from v2 of gopkg.in/yaml to v3 LMK what you think, I can always move the version changes to a separate PR

Trivy scan - before

go.sum (gomod)
==============
Total: 9 (UNKNOWN: 3, LOW: 0, MEDIUM: 1, HIGH: 5, CRITICAL: 0)
Trivy Scan - before - details ``` go.sum (gomod) ============== Total: 9 (UNKNOWN: 3, LOW: 0, MEDIUM: 1, HIGH: 5, CRITICAL: 0) +------------------------------+------------------+----------+-----------------------------------+-----------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------------+------------------+----------+-----------------------------------+-----------------------------------+---------------------------------------+ | github.com/dgrijalva/jwt-go | CVE-2020-26160 | HIGH | 3.2.0+incompatible | | jwt-go: access restriction | | | | | | | bypass vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-26160 | +------------------------------+------------------+ +-----------------------------------+-----------------------------------+---------------------------------------+ | github.com/gogo/protobuf | CVE-2021-3121 | | 1.2.1 | 1.3.2 | gogo/protobuf: | | | | | | | plugin/unmarshal/unmarshal.go | | | | | | | lacks certain index validation | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3121 | +------------------------------+------------------+ +-----------------------------------+-----------------------------------+---------------------------------------+ | github.com/gorilla/websocket | CVE-2020-27813 | | 1.4.0 | 1.4.1 | golang-github-gorilla-websocket: | | | | | | | integer overflow leads | | | | | | | to denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27813 | +------------------------------+------------------+ +-----------------------------------+-----------------------------------+---------------------------------------+ | golang.org/x/crypto | CVE-2022-27191 | | 0.0.0-20190308221718-c2843e01d9a2 | 0.0.0-20220315160706-3147a52a75dd | golang: crash in a | | | | | | | golang.org/x/crypto/ssh server | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27191 | +------------------------------+------------------+ +-----------------------------------+-----------------------------------+---------------------------------------+ | golang.org/x/text | CVE-2020-14040 | | 0.3.2 | 0.3.3 | golang.org/x/text: possibility | | | | | | | to trigger an infinite loop in | | | | | | | encoding/unicode could lead to... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-14040 | + +------------------+----------+ +-----------------------------------+---------------------------------------+ | | CVE-2021-38561 | UNKNOWN | | 0.3.7 | Due to improper index calculation, | | | | | | | an incorrectly formatted | | | | | | | language tag can cause... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-38561 | +------------------------------+------------------+----------+-----------------------------------+-----------------------------------+---------------------------------------+ | gopkg.in/yaml.v2 | CVE-2019-11254 | MEDIUM | 2.2.2 | 2.2.8 | kubernetes: Denial of | | | | | | | service in API server via | | | | | | | crafted YAML payloads by... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-11254 | + +------------------+----------+ +-----------------------------------+---------------------------------------+ | | GMS-2019-2 | UNKNOWN | | v2.2.3 | XML Entity Expansion | + +------------------+ + +-----------------------------------+---------------------------------------+ | | GO-2021-0061 | | | 2.2.3 | Due to unbounded alias | | | | | | | chasing, a maliciously crafted | | | | | | | YAML file can cause the... | +------------------------------+------------------+----------+-----------------------------------+-----------------------------------+---------------------------------------+ ```

Grype scan - before

NAME              INSTALLED  FIXED-IN  VULNERABILITY        SEVERITY
gopkg.in/yaml.v2  v2.2.2     2.2.8     GHSA-wxc4-f4m6-wwqv  Medium

Trivy scan - after

go.sum (gomod)
==============
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Grype scan - after

No vulnerabilities found

06kellyjac commented 2 years ago

I also noticed the copyright notices say // Copyright 2016-2018 Yubico AB, shall I bump them to // Copyright 2016-2022 Yubico AB?

06kellyjac commented 2 years ago

I noticed the readme and the dockerfile referred to older go versions so I bumped those too