search

aws / aws-lambda-runtime-interface-emulator

Apache License 2.0
915 stars 95 forks source link

Vulnerabilities due to go1.20 #115

Closed Jakub-PMX closed 5 months ago

Jakub-PMX commented 5 months ago 
> grype version  
Application:         grype
Version:             0.74.7
BuildDate:           2024-02-26T18:24:14Z
GitCommit:           987238519b8d6e302130ab715f20daed6634da68
GitDescription:      v0.74.7
Platform:            darwin/amd64
GoVersion:           go1.21.7
Compiler:            gc
Syft Version:        v0.105.1
Supported DB Schema: 5
> grype aws-lambda-rie

NAME    INSTALLED  FIXED-IN  TYPE       VULNERABILITY   SEVERITY 
stdlib  go1.20.14            go-module  CVE-2024-24785  Unknown   
stdlib  go1.20.14            go-module  CVE-2024-24784  Unknown   
stdlib  go1.20.14            go-module  CVE-2024-24783  Unknown   
stdlib  go1.20.14            go-module  CVE-2023-45290  Unknown   
stdlib  go1.20.14            go-module  CVE-2023-45289  Unknown

When tried to upgrade to Go 1.21 (although I am not that familiar with Go), the build of the binary went through with compile-with-docker command and grype aws-lambda-rie reported not vulnerabilities.

Here is the diff:

diff --git a/Makefile b/Makefile
index 80ccb89..1916dae 100644
--- a/Makefile
+++ b/Makefile
@@ -21,7 +21,7 @@ compile-lambda-linux-all:
        make ARCH=old compile-lambda-linux

 compile-with-docker:
-       docker run --env GOPROXY=direct -v $(shell pwd):/LambdaRuntimeLocal -w /LambdaRuntimeLocal golang:1.20 make ARCH=${ARCH} compile-lambda-linux
+       docker run --env GOPROXY=direct -v $(shell pwd):/LambdaRuntimeLocal -w /LambdaRuntimeLocal golang:1.21 make ARCH=${ARCH} compile-lambda-linux

 compile-lambda-linux:
        CGO_ENABLED=0 GOOS=linux GOARCH=${GO_ARCH_${ARCH}} go build -buildvcs=false -ldflags "${RELEASE_BUILD_LINKER_FLAGS}" -o ${DESTINATION_${ARCH}} ./cmd/aws-lambda-rie
diff --git a/go.mod b/go.mod
index 990a7dd..954c4de 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module go.amzn.com

-go 1.20
+go 1.21

 require (
        github.com/aws/aws-lambda-go v1.41.0
@@ -16,7 +16,7 @@ require (
        github.com/davecgh/go-spew v1.1.1 // indirect
        github.com/pmezard/go-difflib v1.0.0 // indirect
        github.com/stretchr/objx v0.5.0 // indirect
-       golang.org/x/net v0.18.0 // indirect
-       golang.org/x/sys v0.14.0 // indirect
+       golang.org/x/net v0.22.0 // indirect
+       golang.org/x/sys v0.18.0 // indirect
        gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
index 0ea11d6..005de80 100644
--- a/go.sum
+++ b/go.sum
@@ -22,15 +22,16 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
 golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
valerena commented 5 months ago

Hi. Thanks for the report. We recently updated to the latest version in Go 1.20, but we might have to update to 1.21 like you mention. We'll take a look.

valerena commented 5 months ago

New version released using Go 1.21.8 https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/tag/v1.17

No vulnerabilities found on this version with grype.