search

fullstorydev / grpcurl

Like cURL, but for gRPC: Command-line tool for interacting with gRPC servers
MIT License
10.75k stars 502 forks source link

Update to Go 1.18 #300

Closed scotthew1 closed 1 year ago

scotthew1 commented 2 years ago

It looks like #250 has been open for awhile now, but 1.18 has a particularly enticing change for macOS users.

From the change log:

crypto/x509

Certificate.Verify now uses platform APIs to verify certificate validity on macOS and iOS when it is called with a nil VerifyOpts.Roots or when using the root pool returned from SystemCertPool.

nehalshah50 commented 2 years ago

Same here. We are getting go package vulnerability CVE-2021-36221 as well. Please upgrade ASAP

scaswell-tsys commented 2 years ago

Is there a plan to have this upgrade done soon? I've had to remove grpcurl from my docker image due to a dozen or so vulnerabilities in go in versions prior to 1.18.1.

dragonsinth commented 2 years ago

Just to be clear on the ask, you want the released binaries and images to be built with Go 1.18 so that the binaries have the CVEs addressed? You're not asking for a go.mod minimum version bump.

scaswell-tsys commented 1 year ago

Yes, I'm asking for the released binaries and images to be built on Go 1.18 to address the CVE.

On Wed, Jul 20, 2022 at 2:49 PM Scott Blum @.***> wrote:

Just to be clear on the ask, you want the released binaries and images to be built with Go 1.18 so that the binaries have the CVEs addressed? You're not asking for a go.mod minimum version bump.

— Reply to this email directly, view it on GitHub https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_fullstorydev_grpcurl_issues_300-23issuecomment-2D1190634522&d=DwMCaQ&c=Z4P52L0foFKAY1wcP-GmiQ&r=CfJc7E9Y5rcraXO6S6e5t3G1fc3xkM5N1A8qyKvsdys&m=f3yKN49C_yA9y0v120FZKvm0u0NWDTjM0JWE05jei4R_4ERMnf9IMpUD-bMQ6Upz&s=y2C0Dk-8XZzvmfXSUG1UyHJEK6cOq0KGluVlTw_ja7k&e=, or unsubscribe https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AY2BRLHW6PCL55DEH3YRQ6LVVBC4HANCNFSM5R4MFBKA&d=DwMCaQ&c=Z4P52L0foFKAY1wcP-GmiQ&r=CfJc7E9Y5rcraXO6S6e5t3G1fc3xkM5N1A8qyKvsdys&m=f3yKN49C_yA9y0v120FZKvm0u0NWDTjM0JWE05jei4R_4ERMnf9IMpUD-bMQ6Upz&s=4VxfRkKpTfIG5TLlVQ_54mC3UqltXDWxd0oumuZ4v1s&e= . You are receiving this because you commented.Message ID: @.***>

-- NOTICE: This email message is for the sole use of the addressee(s) named above and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this message or any attachments is expressly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies and backups of the original message.

dragonsinth commented 1 year ago

https://github.com/fullstorydev/grpcurl/releases/tag/v1.8.7