search

codeclimate / test-reporter

Code Climate Test Reporter
MIT License
154 stars 76 forks source link

QUA-678: Update golang crypto dependency version #497

Closed camillof closed 2 years ago

camillof commented 2 years ago

Context

As reported on #496 a golang crypto dependency has a vulnerability on the version used by the test-reporter: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTO-2825234

Details

This PR updates the golang.org/x/crypto dependency from revision 04eae0b62feaaf659a0ce2c4e8dc70b6ae2fff67 to revision 630584e8d5aaa1472863b49679b2d5548d80dcba. Gopkg.lock diff can be large because of format change on newer versions of dep but most important change is here: https://github.com/codeclimate/test-reporter/compare/master...QUA-678/Fix-CC-reporter-go-crypto-vulnerability#diff-bbebd336cd92f353b3401e61be3cb9eb0267ea89704f556ce40c944cc5257e08R105

Snyk inspect before:

BEFORE

Snyk inspect after:

AFTER

Command run to update the dependency: dep ensure -update golang.org/x/crypto

Closes #496

CLAassistant commented 2 years ago

CLA assistant check
All committers have signed the CLA.

camillof commented 2 years ago

dep was deprecated at the beginnings of 2020 - https://github.com/golang/dep#dep

NOTE: Dep was an official experiment to implement a package manager for Go. As of 2020, Dep is deprecated and archived in favor of Go modules, which have had official support since Go 1.11. For more details, see https://golang.org/ref/mod.

There is an open PR that introduces the use of go modules #492. It would be great if we could put this update in the queue. However, the snyk captures are really useful proving these changes resolve the vulnerability. But I'm not sure the tests for the mac-os build have actually run, can we confirm that ?

Congrats on your first PR 🎉

Nice catch, indeed, the tests for mac-os build weren't running for a long time. A PR to fix that was merged here #498 so I rebased this branch, and now they are running just fine

I agree on stop using Dep, are you ok with me creating a new task for this?? As this PR could unblock the user who requested this change, and we can continue working on that migration?

fede-moya commented 2 years ago

@camillof

As this PR could unblock the user who requested this change, and we can continue working on that migration?

sounds good 👍🏼

fede-moya commented 2 years ago

@camillof can you open one of these https://github.com/codeclimate/test-reporter/pull/489/files once you merge this one ?

camillof commented 2 years ago

@camillof can you open one of these https://github.com/codeclimate/test-reporter/pull/489/files once you merge this one ?

Thanks for the heads up! Here it is: https://github.com/codeclimate/test-reporter/pull/500