search

dollarshaveclub / vaultenvporter-go

A tool for turning a set of Vault secrets into environment variables
MIT License
8 stars 3 forks source link

Potential collision and risk from indirect dependence “github.com/dancannon/gorethink” #12

Open KateGo520 opened 4 years ago

KateGo520 commented 4 years ago

Dependency line:

github.com/dollarshaveclub/vaultenvporter-go --> github.com/hashicorp/vault --> gopkg.in/ory-am/dockertest.v2 --> github.com/dancannon/gorethink

gopkg.in/ory-am/dockertest.v2 v2.2.3 --> github.com/dancannon/gorethink v2.1.3 https://github.com/ory/dockertest/blob/v2.2.3/glide.yaml#L14

- package: github.com/dancannon/gorethink
  version: ~2.1.3

Background

1. The gorethink has already renamed it’s import path from "github.com/dancannon/gorethink" to "gopkg.in/gorethink/gorethink.v2", in the version v2.1.3 . As README of gorethink v2.1.3 said, downstream repos should use "gopkg.in/dancannon/gorethink.v2" to get or import gorethink.

**Installation**
go get gopkg.in/dancannon/gorethink.v2

**Example**
package gorethink_test

import (
    "fmt"
    "log"

    r "gopkg.in/dancannon/gorethink.v2"
)
…

But gopkg.in/ory-am/dockertest.v2 still used the old path: https://github.com/ory/dockertest/blob/v2.2.3/glide.yaml#L14

package: github.com/dancannon/gorethink
  version: ~2.1.3

So module pulled the last version which didn’t have go.mod, v4.0.0. From the Go Modules's point of view, path github.com/dancannon/gorethink equals to version v0/v1 or the latest version that didn’t use the module.

2. I find that gopkg.in/gorethink/gorethink.v4 and github.com/dancannon/gorethink coexist in this repo: https://github.com/dollarshaveclub/vaultenvporter-go/blob/master/go.mod (Line 38 & 158)

github.com/dancannon/gorethink v4.0.0+incompatible // indirect
gopkg.in/gorethink/gorethink.v4 v4.1.0 // indirect

That’s because the gorethink has already renamed it’s import path from "github.com/dancannon/gorethink" to "gopkg.in/gorethink/gorethink.v4",in the version v4.x.y . When you use the old path "github.com/dancannon/gorethink" to import the gorethink, will reintroduces gorethink through the import statements "import gopkg.in/gorethink/gorethink.v4" in the go source file of gorethink.

https://github.com/rethinkdb/rethinkdb-go/blob/v4.0.0/query_db.go#L4

package gorethink
import (
    p "gopkg.in/gorethink/gorethink.v4/ql2"
)

"gopkg.in/gorethink/gorethink.v4" and "github.com/dancannon/gorethink" are the same repos. This will work in isolation, bring about potential risks and problems. And actually the version that gopkg.in/ory-am/dockertest.v2 required is v2.1.3. All of these can bring potential problems

Solution

  1. Add replace statement in the go.mod file: 
    replace github.com/dancannon/gorethink => gopkg.in/gorethink/gorethink.v2 v2.1.3

    Or keep use the version v4.0.0. v2.1.3 is too old, might bring some old incompatible path, such as "github.com/Sirupsen/logrus".

    replace github.com/dancannon/gorethink => gopkg.in/gorethink/gorethink.v4 v4.0.0

    Then clean the dependencies.

  2. Update the direct dependency github.com/hashicorp/vault. The latest version of github.com/hashicorp/vault is v1.5.0. This problem does not exist in the new version.
KateGo520 commented 4 years ago

@mikeykhalil Could you help me review this issue? Thx :p

mikeykhalil commented 4 years ago

Sorry, just saw this! Will dig into this tomorrow.