search

exoscale / cli

Command-line tool for everything at Exoscale: compute, storage, dns.
Apache License 2.0
87 stars 19 forks source link

[Request]: govulncheck reports issues with one of your dependencies (golang.org/x/net) #598

Closed udf2457 closed 2 months ago

udf2457 commented 3 months ago

Your request

If you run govulncheck ./... against this codebase, you get notified of the following:

Vulnerability #1: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.19.0 Fixed in: golang.org/x/net@v0.23.0 Example traces found:

1: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error

  #2: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.ErrCode.String
  #3: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.FrameHeader.String
  #4: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.FrameType.String
  #5: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.GoAwayError.Error
  #6: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.Setting.String
  #7: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.SettingID.String
  #8: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.StreamError.Error
  #9: pkg/storage/sos/object.go:508:14: sos.Client.UploadFile calls fmt.Fprintf, which eventually calls http2.chunkWriter.Write
  #10: cmd/root.go:81:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.connError.Error
  #11: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.duplicatePseudoHeaderError.Error
  #12: pkg/status/status.go:180:2: status.GetStatusPage calls http2.gzipReader.Close
  #13: pkg/userdata/userdata.go:73:29: userdata.DecodeUserData calls io.ReadAll, which calls http2.gzipReader.Read
  #14: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.headerFieldNameError.Error
  #15: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.headerFieldValueError.Error
  #16: cmd/internal/x/x.gen.go:10472:37: x.XListTemplates calls viper.Viper.GetString, which eventually calls http2.pseudoHeaderError.Error
  #17: pkg/storage/sos/object.go:508:14: sos.Client.UploadFile calls fmt.Fprintf, which eventually calls http2.stickyErrWriter.Write
  #18: pkg/status/status.go:180:2: status.GetStatusPage calls http2.transportResponseBody.Close
  #19: pkg/userdata/userdata.go:73:29: userdata.DecodeUserData calls io.ReadAll, which calls http2.transportResponseBody.Read
  #20: pkg/storage/sos/object.go:629:47: sos.ShowObjectOutput.ToTable calls fmt.Sprint, which eventually calls http2.writeData.String
pierre-emmanuelJ commented 2 months ago

Thanks for the report :)

We are aware of it, this one will be merged asap: https://github.com/exoscale/cli/pull/592

Thanks