Closed darkn3rd closed 1 month ago
dgraph version
go version
brew tap snyk/tap brew install snyk snyk test
I expected that there would be no security vulnerabilities, but I found this report:
✗ Medium severity vulnerability found in gopkg.in/yaml.v2 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV2-1083943 Introduced through: gopkg.in/yaml.v2@2.2.4, github.com/spf13/viper@1.7.1 From: gopkg.in/yaml.v2@2.2.4 From: github.com/spf13/viper@1.7.1 > gopkg.in/yaml.v2@2.2.4 Fixed in: 2.2.8 ✗ Medium severity vulnerability found in golang.org/x/text/internal/language Description: Out-of-bounds Read Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTINTERNALLANGUAGE-2400718 Introduced through: golang.org/x/text/language@0.3.3, golang.org/x/text/collate@0.3.3 From: golang.org/x/text/language@0.3.3 > golang.org/x/text/internal/language@0.3.3 From: golang.org/x/text/collate@0.3.3 > golang.org/x/text/language@0.3.3 > golang.org/x/text/internal/language@0.3.3 From: golang.org/x/text/language@0.3.3 > golang.org/x/text/internal/language/compact@0.3.3 > golang.org/x/text/internal/language@0.3.3 and 1 more... Fixed in: 0.3.7 ✗ Medium severity vulnerability found in github.com/prometheus/client_golang/prometheus/promhttp Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPROMETHEUSCLIENTGOLANGPROMETHEUSPROMHTTP-2401819 Introduced through: contrib.go.opencensus.io/exporter/prometheus@0.1.0 From: contrib.go.opencensus.io/exporter/prometheus@0.1.0 > github.com/prometheus/client_golang/prometheus/promhttp@0.9.3 Fixed in: 1.11.1 ✗ Medium severity vulnerability found in github.com/graph-gophers/graphql-go/internal/validation Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGRAPHGOPHERSGRAPHQLGOINTERNALVALIDATION-2359051 Introduced through: github.com/graph-gophers/graphql-go@#dae41bde9ef9, github.com/graph-gophers/graphql-go/relay@#dae41bde9ef9 From: github.com/graph-gophers/graphql-go@#dae41bde9ef9 > github.com/graph-gophers/graphql-go/internal/validation@#dae41bde9ef9 From: github.com/graph-gophers/graphql-go/relay@#dae41bde9ef9 > github.com/graph-gophers/graphql-go@#dae41bde9ef9 > github.com/graph-gophers/graphql-go/internal/validation@#dae41bde9ef9 Fixed in: 1.3.0 ✗ Medium severity vulnerability found in github.com/apache/thrift/lib/go/thrift Description: Improper Input Validation Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMAPACHETHRIFTLIBGOTHRIFT-474612 Introduced through: contrib.go.opencensus.io/exporter/jaeger@0.1.0 From: contrib.go.opencensus.io/exporter/jaeger@0.1.0 > github.com/apache/thrift/lib/go/thrift@0.12.0 From: contrib.go.opencensus.io/exporter/jaeger@0.1.0 > contrib.go.opencensus.io/exporter/jaeger/internal/gen-go/jaeger@0.1.0 > github.com/apache/thrift/lib/go/thrift@0.12.0 Fixed in: 0.13.0 ✗ High severity vulnerability found in gopkg.in/yaml.v3 Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557 Introduced through: github.com/stretchr/testify/require@1.6.1 From: github.com/stretchr/testify/require@1.6.1 > github.com/stretchr/testify/assert@1.6.1 > gopkg.in/yaml.v3@#eeeca48fe776 Fixed in: 3.0.0 ✗ High severity vulnerability found in github.com/dgrijalva/jwt-go Description: Access Restriction Bypass Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 Introduced through: github.com/dgrijalva/jwt-go@3.2.0 From: github.com/dgrijalva/jwt-go@3.2.0 Fixed in: 4.0.0-preview1
This issue has been stale for 60 days and will be closed automatically in 7 days. Comment to keep it open.
What version of Dgraph are you using? (result of
dgraph version
) main branch based on v21.03 branchTell us a little more about your go-environment? (result of
go version
)Have you tried reproducing the issue with the latest release? yes
What is the hardware spec (RAM, CPU, OS)? n/a
Steps to reproduce the issue (command/config used to run Dgraph).
Expected behavior and actual result.
I expected that there would be no security vulnerabilities, but I found this report: