Closed 06kellyjac closed 2 years ago
I also noticed the copyright notices say // Copyright 2016-2018 Yubico AB
, shall I bump them to // Copyright 2016-2022 Yubico AB
?
I noticed the readme and the dockerfile referred to older go versions so I bumped those too
The main reason to tidy (and add go version to go mod) is because in go 1.17 they changed the way it resolves modules and formats
go.mod
etcWe were getting inconsistent vendoring errors in https://github.com/NixOS/nixpkgs/pull/169682
Since you're releasing with 1.17 I've tidied using the 1.17 rules (
go mod tidy -compat=1.17
)While I was updating the
go.mod
andgo.sum
files I thought I'd also update the dependencies I also manually bumped fromv2
ofgopkg.in/yaml
tov3
LMK what you think, I can always move the version changes to a separate PRTrivy scan - before
Trivy Scan - before - details
``` go.sum (gomod) ============== Total: 9 (UNKNOWN: 3, LOW: 0, MEDIUM: 1, HIGH: 5, CRITICAL: 0) +------------------------------+------------------+----------+-----------------------------------+-----------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------------+------------------+----------+-----------------------------------+-----------------------------------+---------------------------------------+ | github.com/dgrijalva/jwt-go | CVE-2020-26160 | HIGH | 3.2.0+incompatible | | jwt-go: access restriction | | | | | | | bypass vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-26160 | +------------------------------+------------------+ +-----------------------------------+-----------------------------------+---------------------------------------+ | github.com/gogo/protobuf | CVE-2021-3121 | | 1.2.1 | 1.3.2 | gogo/protobuf: | | | | | | | plugin/unmarshal/unmarshal.go | | | | | | | lacks certain index validation | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3121 | +------------------------------+------------------+ +-----------------------------------+-----------------------------------+---------------------------------------+ | github.com/gorilla/websocket | CVE-2020-27813 | | 1.4.0 | 1.4.1 | golang-github-gorilla-websocket: | | | | | | | integer overflow leads | | | | | | | to denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27813 | +------------------------------+------------------+ +-----------------------------------+-----------------------------------+---------------------------------------+ | golang.org/x/crypto | CVE-2022-27191 | | 0.0.0-20190308221718-c2843e01d9a2 | 0.0.0-20220315160706-3147a52a75dd | golang: crash in a | | | | | | | golang.org/x/crypto/ssh server | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27191 | +------------------------------+------------------+ +-----------------------------------+-----------------------------------+---------------------------------------+ | golang.org/x/text | CVE-2020-14040 | | 0.3.2 | 0.3.3 | golang.org/x/text: possibility | | | | | | | to trigger an infinite loop in | | | | | | | encoding/unicode could lead to... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-14040 | + +------------------+----------+ +-----------------------------------+---------------------------------------+ | | CVE-2021-38561 | UNKNOWN | | 0.3.7 | Due to improper index calculation, | | | | | | | an incorrectly formatted | | | | | | | language tag can cause... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-38561 | +------------------------------+------------------+----------+-----------------------------------+-----------------------------------+---------------------------------------+ | gopkg.in/yaml.v2 | CVE-2019-11254 | MEDIUM | 2.2.2 | 2.2.8 | kubernetes: Denial of | | | | | | | service in API server via | | | | | | | crafted YAML payloads by... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-11254 | + +------------------+----------+ +-----------------------------------+---------------------------------------+ | | GMS-2019-2 | UNKNOWN | | v2.2.3 | XML Entity Expansion | + +------------------+ + +-----------------------------------+---------------------------------------+ | | GO-2021-0061 | | | 2.2.3 | Due to unbounded alias | | | | | | | chasing, a maliciously crafted | | | | | | | YAML file can cause the... | +------------------------------+------------------+----------+-----------------------------------+-----------------------------------+---------------------------------------+ ```Grype scan - before
Trivy scan - after
Grype scan - after
No vulnerabilities found