Closed linkthrow closed 1 year ago
google-cla[bot]
commented
1 year ago Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
View this failed invocation of the CLA check for more information.
For the most up to date status, view the checks section at the bottom of the pull request.
ahmetb
commented
1 year ago I'm used to these at this point. Presumably you control the server/client here. I'm not sure why it poses a security risk but let's merge it to make your security scanner happy. Will you need a tagged release?
BTW the tests are failing, I think you should not manually edit go.mod/go.sum files. I recommend doing a go get [...] and go mod tidy.
linkthrow
commented
1 year ago I'm used to these at this point. Presumably you control the server/client here. I'm not sure why it poses a security risk but let's merge it to make your security scanner happy. Will you need a tagged release?
BTW the tests are failing, I think you should not manually edit go.mod/go.sum files. I recommend doing a
go get [...]andgo mod tidy.
Sorry didn't realise the test was failing, done the suggested fix. Yes please would need it tagged
We use this probe at the company I work for, and the current installed version of golang.org/x/net has an vulnerability in its installed version which is logged in the https://github.com/golang/vulndb database.
This is utilised by the Trivy scanner which rejects this library from being used in our project, the suggested fix is using the latest version which removes this vulnerability,
v0.4.0TLDR of the vulnerability below
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.