Closed udf2457 closed 2 months ago
If you run govulncheck ./... against this codebase, you get notified of the following:
govulncheck ./...
Vulnerability #1: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.19.0 Fixed in: golang.org/x/net@v0.23.0 Example traces found: 1: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error #2: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.ErrCode.String #3: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.FrameHeader.String #4: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.FrameType.String #5: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.GoAwayError.Error #6: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.Setting.String #7: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.SettingID.String #8: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.StreamError.Error #9: pkg/storage/sos/object.go:508:14: sos.Client.UploadFile calls fmt.Fprintf, which eventually calls http2.chunkWriter.Write #10: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.connError.Error #11: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.duplicatePseudoHeaderError.Error #12: pkg/status/status.go:180:2: status.GetStatusPage calls http2.gzipReader.Close #13: pkg/userdata/userdata.go:73:29: userdata.DecodeUserData calls io.ReadAll, which calls http2.gzipReader.Read #14: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.headerFieldNameError.Error #15: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.headerFieldValueError.Error #16: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.pseudoHeaderError.Error #17: pkg/storage/sos/object.go:508:14: sos.Client.UploadFile calls fmt.Fprintf, which eventually calls http2.stickyErrWriter.Write #18: pkg/status/status.go:180:2: status.GetStatusPage calls http2.transportResponseBody.Close #19: pkg/userdata/userdata.go:73:29: userdata.DecodeUserData calls io.ReadAll, which calls http2.transportResponseBody.Read #20: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.writeData.String
Vulnerability #1: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.19.0 Fixed in: golang.org/x/net@v0.23.0 Example traces found:
#2: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.ErrCode.String #3: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.FrameHeader.String #4: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.FrameType.String #5: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.GoAwayError.Error #6: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.Setting.String #7: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.SettingID.String #8: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.StreamError.Error #9: pkg/storage/sos/object.go:508:14: sos.Client.UploadFile calls fmt.Fprintf, which eventually calls http2.chunkWriter.Write #10: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.connError.Error #11: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.duplicatePseudoHeaderError.Error #12: pkg/status/status.go:180:2: status.GetStatusPage calls http2.gzipReader.Close #13: pkg/userdata/userdata.go:73:29: userdata.DecodeUserData calls io.ReadAll, which calls http2.gzipReader.Read #14: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.headerFieldNameError.Error #15: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.headerFieldValueError.Error #16: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.pseudoHeaderError.Error #17: pkg/storage/sos/object.go:508:14: sos.Client.UploadFile calls fmt.Fprintf, which eventually calls http2.stickyErrWriter.Write #18: pkg/status/status.go:180:2: status.GetStatusPage calls http2.transportResponseBody.Close #19: pkg/userdata/userdata.go:73:29: userdata.DecodeUserData calls io.ReadAll, which calls http2.transportResponseBody.Read #20: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.writeData.String
Thanks for the report :)
We are aware of it, this one will be merged asap: https://github.com/exoscale/cli/pull/592
Thanks
Your request
If you run
govulncheck ./...
against this codebase, you get notified of the following: