search

golang-migrate / migrate

Database migrations. CLI and Golang library.
Other
14.94k stars 1.37k forks source link

Upgrade github.com/snowflakedb/gosnowflake to the newer version #569

Open xdingsplk opened 3 years ago

xdingsplk commented 3 years ago

Describe the Bug github.com/snowflakedb/gosnowflake@v1.3.5 has a dependency on github.com/dgrijalva/jwt-go@v3.2.0+incompatible this version of jwt-go has a vulnerability of:

dhui commented 3 years ago

Thanks for the report. It looks like this is the vulnerability you were referring to

xdingsplk commented 3 years ago

Thanks for the commit to fix it

xdingsplk commented 3 years ago

Just a follow up on this. I realized that gosnowflakeDB still has a dependency to this vulnerable jwt-go. They remove the direct dependency but later on they added another dependency which brings it back..

github.com/golang-migrate/migrate/v4@v4.14.2-0.20210521165626-8a1a8534dc64

github.com/snowflakedb/gosnowflake@v1.4.3

github.com/snowflakedb/gosnowflake@v1.4.3 github.com/Azure/azure-storage-blob-go@v0.13.0

github.com/Azure/azure-storage-blob-go@v0.13.0 github.com/Azure/go-autorest/autorest/adal@v0.9.2

github.com/Azure/go-autorest/autorest/adal@v0.9.2 github.com/dgrijalva/jwt-go@v3.2.0+incompatible

dhui commented 3 years ago

Haha! 🤦

Thanks for re-reporting! I've reopened the issue and will keep it open until the upstream dependencies are fixed. Looks like this is still and issue in v1.5.0

xdingsplk commented 3 years ago

just FYI, my team decided to use "replace" to get rid of the vulnerable code in jwt-go. It was too much for us to track the dependencies all the way down to 4 repos. But we can keep the issue open to track this vulnerability.

kchodnicki commented 2 years ago

The issue still exists:

github.com/dhui/dktest@v0.3.7
- github.com/containerd/containerd@v1.5.7
-- github.com/Microsoft/hcsshim@v0.8.21
--- github.com/containerd/containerd@v1.5.1 (yeah...)
---- k8s.io/component-base@v0.20.6 (also 0.20.1 and 0.20.4)
----- k8s.io/client-go@v0.20.6
------ github.com/Azure/go-autorest/autorest@v0.11.1
------- github.com/Azure/go-autorest/autorest/adal@v0.9.0
-------- github.com/dgrijalva/jwt-go@v3.2.0+incompatible

I know it's only used for testing, but still... CVE details: https://nvd.nist.gov/vuln/detail/CVE-2020-26160

zibi94 commented 2 years ago

And more issues:

The issue still exists:

github.com/dhui/dktest@v0.3.7
- github.com/containerd/containerd@v1.5.7
-- github.com/Microsoft/hcsshim@v0.8.21
--- github.com/containerd/containerd@v1.5.1 (yeah...)
---- k8s.io/component-base@v0.20.6 (also 0.20.1 and 0.20.4)
----- k8s.io/client-go@v0.20.6
------ github.com/Azure/go-autorest/autorest@v0.11.1
------- github.com/Azure/go-autorest/autorest/adal@v0.9.0
-------- github.com/dgrijalva/jwt-go@v3.2.0+incompatible

I know it's only used for testing, but still... CVE details: https://nvd.nist.gov/vuln/detail/CVE-2020-26160

And more issues:

[CVE-2020-8558] The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, ... [CVE-2019-11248] The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet ... [CVE-2019-11247] The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custo... [CVE-2019-11243] Credentials Management [CVE-2021-25741] A security issue was discovered in Kubernetes where a user may be able to create... [CVE-2020-8552] The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, ...
[CVE-2019-11253] Improper input validation in the Kubernetes API server in versions v1.0-1.12 and...

-> github.com/golang-migrate/migrate/v4@v4.15.1

--> github.com/dhui/dktest@v0.3.7

---> github.com/containerd/containerd@v1.5.7

----> github.com/containerd/aufs@v1.0.0

-----> github.com/containerd/containerd@v1.5.0-beta.3

------> github.com/Microsoft/hcsshim@v0.8.15

-------> github.com/containerd/containerd@v1.5.0-beta.1

--------> github.com/containerd/aufs@v0.0.0-20200908144142-dab0cbea06f4

----------> github.com/Microsoft/hcsshim@v0.8.7

----------->k8s.io/kubernetes@v1.13.0

[CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox...

-> github.com/golang-migrate/migrate/v4@v4.15.1

--> github.com/dhui/dktest@v0.3.7

---> github.com/containerd/containerd@v1.5.7

----> github.com/containerd/continuity@v0.1.0

-----> github.com/spf13/cobra@v1.0.0

------> github.com/spf13/viper@v1.4.0

-------> github.com/coreos/etcd@v3.3.10+incompatible

zibi94 commented 2 years ago

Nancy again found Vulnerabilities: [CVE-2022-24778] CWE-863: Incorrect Authorization

--> github.com/golang-migrate/migrate/v4@v4.15.2 ----> github.com/dhui/dktest@v0.3.10 ------> github.com/containerd/containerd@v1.6.1 -------- github.com/containerd/imgcrypt@v1.1.3

sonatype-2021-0853

--> github.com/golang-migrate/migrate/v4@v4.15.2 ----> github.com/jackc/pgproto3/v2@v2.0.7

[CVE-2022-29162] CWE-276: Incorrect Default Permissions

--> github.com/golang-migrate/migrate/v4@v4.15.2 ----> github.com/dhui/dktest@v0.3.10 ------> github.com/containerd/containerd@v1.6.1 --------> github.com/opencontainers/runc@v1.1.0

[CVE-2022-21698] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

--> github.com/golang-migrate/migrate/v4@v4.15.2 ----> github.com/dhui/dktest@v0.3.10 ------> github.com/containerd/containerd@v1.6.1 ---------> github.com/prometheus/client_golang@v1.11.0

[CVE-2020-8558] CWE-287: Improper Authentication [CVE-2019-11248] CWE-862: Missing Authorization [CVE-2019-11243] CWE-212: Improper Cross-boundary Removal of Sensitive Data [CVE-2019-11247] CWE-863: Incorrect Authorization [CVE-2021-25741] CWE-552: Files or Directories Accessible to External Parties [CVE-2019-11253] CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') [CVE-2020-8559] CWE-601: URL Redirection to Untrusted Site ('Open Redirect') [CVE-2019-1002100] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') [CVE-2019-11249] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CVE-2019-11250] CWE-532: Information Exposure Through Log Files [CVE-2019-11252] CWE-209: Information Exposure Through an Error Message [CVE-2019-11254] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') [CVE-2020-8551] CWE-770: Allocation of Resources Without Limits or Throttling [CVE-2021-25735] CWE-863: Incorrect Authorization [CVE-2019-11251] CWE-59: Improper Link Resolution Before File Access ('Link Following') [CVE-2020-8566] CWE-532: Information Exposure Through Log Files
[CVE-2020-8557] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') [CVE-2020-8564] CWE-532: Information Exposure Through Log Files [CVE-2020-8565] CWE-532: Information Exposure Through Log Files [CVE-2019-1002101] CWE-59: Improper Link Resolution Before File Access ('Link Following') [CVE-2019-11244] CWE-732: Incorrect Permission Assignment for Critical Resource [CVE-2020-8554] CWE-863: Incorrect Authorization
[CVE-2021-3636] CWE-287: Improper Authentication [CVE-2021-25736] CWE-20: Improper Input Validation [CVE-2020-8552] CWE-770: Allocation of Resources Without Limits or Throttling [CVE-2020-8561] CWE-610: Externally Controlled Reference to a Resource in Another Sphere [CVE-2020-8562] CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition [CVE-2021-25740] CWE-610: Externally Controlled Reference to a Resource in Another Sphere
[CVE-2021-25743] CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
[CVE-2018-1002102] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

--> github.com/golang-migrate/migrate/v4@v4.15.2 ----> github.com/dhui/dktest@v0.3.10 ------> github.com/containerd/containerd@v1.6.1 --------> github.com/Microsoft/hcsshim@v0.8.7 -----------> k8s.io/kubernetes@v1.13.0

sonatype-2019-0702

--> github.com/golang-migrate/migrate/v4@v4.15.2 ----> go.mongodb.org/mongo-driver@v1.7.0 ------> github.com/gobuffalo/packr/v2@v2.2.0

serhatperkmen commented 1 year ago

Hello folks,

Any update about the vulnerabilities?