search

hyperledger-archives / aries-framework-go

Hyperledger Aries Framework Go provides packages for building Agent / DIDComm services.
https://wiki.hyperledger.org/display/ARIES/aries-framework-go
Apache License 2.0
240 stars 161 forks source link

BTCEC/v2 #3385

Open markcryptohash opened 2 years ago

markcryptohash commented 2 years ago

aries-framework-go should either update their require to v0.22.1 instead of v0.22.0-beta, or they should update to v0.23.1 (and btcec/v2 and btcd/btcutil)

What I'm trying to do

Trying to run the latest BTCSUITE vs aries-framework.

Expected result

I expect it work with BTCEC/v2.

Actual result

Go complains: ../../go/pkg/mod/github.com/hyperledger/aries-framework-go@v0.1.7/pkg/doc/jose/jwk/jwk.go:21:2: no required module provides package github.com/btcsuite/btcd/btcec; to add it: go get github.com/btcsuite/btcd/btcec //So then I run the above command. ▶ go get github.com.com/btcsuite/btcd/btcec go: module github.com/btcsuite/btcd@upgrade found (v0.23.1), but does not contain package github.com/btcsuite/btcd/btcec

My code is running the latest btcsuite. I tried down grading but it became an untenable dependency mess.

gunturaf commented 2 years ago

I think this should be considered as a security issue due to CVE-2022-44797 , as tools such as Trivy will complain about this library which still imports previous version of btcd.