go-playground / validator

:100:Go Struct and Field validation, including Cross Field, Cross Struct, Map, Slice and Array diving
MIT License
16.79k stars 1.32k forks source link

Update go.mod/go.sum using go mod tidy to avoid false positive in vulnerability scan #1071

Closed tremblaysimon closed 1 year ago

tremblaysimon commented 1 year ago

Fixes Or Enhances

Using trivy scanner reported vulnerability from old golang.org/x/net v0.0.0. I think it's because the go.sum wasn't properly updated and the vulnerable version isn't used anymore even in transitive dependencies.

┌──────────────────┬────────────────┬──────────┬────────────────────────────────────┬─────────────────────────────────────┬───────────────────────────────────────────────────┐
11:08:34│     Library      │ Vulnerability  │ Severity │         Installed Version          │            Fixed Version            │                       Title                       │
11:08:34├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼─────────────────────────────────────┼───────────────────────────────────────────────────┤
11:08:34│ golang.org/x/net │ CVE-2022-41721 │ HIGH     │ v0.0.0-20220722155237-a158d28d115b │ 0.1.1-0.20221104162952-702349b0e862 │ A request smuggling attack is possible when using │
11:08:34│                  │                │          │                                    │                                     │ MaxBytesHandler. Whe ...                          │
11:08:34│                  │                │          │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-41721        │
11:08:34└──────────────────┴────────────────┴──────────┴────────────────────────────────────┴─────────────────────────────────────┴───────────────────────────────────────────────────┘ 

Reference: https://pkg.go.dev/vuln/GO-2023-1495

Make sure that you've checked the boxes below before you submit PR:

@go-playground/validator-maintainers

coveralls commented 1 year ago

Coverage Status

Coverage: 74.191%. Remained the same when pulling 85e5a0f27f38c23e24094c93c3fa1f8aea4b9ff0 on tremblaysimon:updateGoModules into 8f07b0368280d9fc70b4ffd3708b31427bbc286d on go-playground:master.

tremblaysimon commented 1 year ago

@deankarn, I don't know if it's possible to get this merged if it's ok for you. Thank you very much.

Simon