search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
123.5k stars 17.6k forks source link

x/tools: update golang.org/x/net dependency to v0.17.0 to patch CVE-2023-44487 and CVE-2023-39325 #63577

Open lucasrod16 opened 12 months ago

lucasrod16 commented 12 months ago

https://github.com/advisories/GHSA-qppj-fm5r-hxr3 https://github.com/advisories/GHSA-4374-p667-p6c8

What version of Go are you using (go version)?

$ go version
go version go1.21.3 darwin/arm64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=''
GOARCH='arm64'
GOBIN='/Users/lucas/go/bin'
GOCACHE='/Users/lucas/Library/Caches/go-build'
GOENV='/Users/lucas/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/lucas/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/lucas/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.21.3/libexec'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.21.3/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.21.3'
GCCGO='gccgo'
AR='ar'
CC='cc'
CXX='c++'
CGO_ENABLED='1'
GOMOD='/Users/lucas/Code/defenseunicorns/zarf-init-aws/credential-helper/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/yy/c1vw1yp55n1bkj48n5vds7740000gn/T/go-build1393718305=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

  1. Generate a package-based Software Bill Of Materials (SBOM) and scan it for CVEs
$ zarf tools sbom packages --exclude './iam' . -o json | grype --fail-on low
 ✔ Indexed .               
 ✔ Cataloged packages      [1461 packages]
NAME              INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
golang.org/x/net  v0.15.0    0.17.0    go-module  GHSA-qppj-fm5r-hxr3  Medium    
golang.org/x/net  v0.15.0    0.17.0    go-module  GHSA-4374-p667-p6c8  Medium
1 error occurred:
        * discovered vulnerabilities at or above the severity threshold
  1. Determine what dependency is using golang.org/x/net@v0.15.0
$ go mod graph | grep golang.org/x/net@v0.15.0
golang.org/x/tools@v0.13.0 golang.org/x/net@v0.15.0

What did you expect to see?

There is a released version of x/tools that uses x/net version v0.17.0

What did you see instead?

The current latest version of x/tools (v0.14.0) is on x/net version v0.16.0

cagedmantis commented 12 months ago

cc @golang/tools-team @golang/release