search

kubernetes / kubernetes

Production-Grade Container Scheduling and Management
https://kubernetes.io
Apache License 2.0
110.28k stars 39.45k forks source link

Outdated modules that contain vulnerabilities #110344

Closed IzhakJakov closed 2 years ago

IzhakJakov commented 2 years ago

Found vulnerability (SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515)

github.com/spf13/cobra v1.1.3 uses github.com/dgrijalva/jwt-go which is affected by a known vulnerability and is no longer maintaned so it should probably be upgraded to a newer version.

❯ ggdh 'github.com/dgrijalva/jwt-go'
             k8s.io/apiserver@v0.24.0
                        ⬇
         go.etcd.io/etcd/server/v3@v3.5.0
                        ⬇
           github.com/spf13/cobra@v1.1.3
                        ⬇
           github.com/spf13/viper@v1.7.0
                        ⬇
  github.com/dgrijalva/jwt-go@v3.2.0+incompatible

Found another vulnerability (SNYK-GOLANG-GITHUBCOMPKGSFTP-569475)

〉ggdh 'github.com/pkg/sftp
            k8s.io/apiserver@v0.24.0
                       ⬇
  github.com/coreos/go-oidc@v2.1.0+incompatible
                       ⬇
github.com/emicklei/go-restful@v2.9.5+incompatible
                       ⬇
github.com/evanphx/json-patch@v4.12.0+incompatible
                       ⬇
         github.com/spf13/afero@v1.6.0
                       ⬇
          github.com/pkg/sftp@v1.10.1
dims commented 2 years ago

/transfer kubernetes

k8s-ci-robot commented 2 years ago

@IzhakJakov: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
neolit123 commented 2 years ago

/area code-organization /sig architecture

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

dims commented 2 years ago

We are now on a newer cobra:

[dims@dims-m1-7728 13:45] ~/go/src/k8s.io/kubernetes ⟩ rg github.com/spf13/cobra go.mod
64: github.com/spf13/cobra v1.5.0
465:    github.com/spf13/cobra => github.com/spf13/cobra v1.5.0

We do not currently have a dependency on github.com/dgrijalva/jwt-go

[dims@dims-m1-7728 13:47] ~/go/src/k8s.io/kubernetes ⟩ go mod graph | grep github.com/dgrijalva/jwt-go
[dims@dims-m1-7728 13:48] ~/go/src/k8s.io/kubernetes ⟩ grep github.com/dgrijalva/jwt-go go.mod

/close

k8s-ci-robot commented 2 years ago

@dims: Closing this issue.

In response to [this](https://github.com/kubernetes/kubernetes/issues/110344#issuecomment-1257029571): >We are now on a newer cobra: >``` >[dims@dims-m1-7728 13:45] ~/go/src/k8s.io/kubernetes ⟩ rg github.com/spf13/cobra go.mod >64: github.com/spf13/cobra v1.5.0 >465: github.com/spf13/cobra => github.com/spf13/cobra v1.5.0 >``` > >We do not currently have a dependency on `github.com/dgrijalva/jwt-go` >``` >[dims@dims-m1-7728 13:47] ~/go/src/k8s.io/kubernetes ⟩ go mod graph | grep github.com/dgrijalva/jwt-go >[dims@dims-m1-7728 13:48] ~/go/src/k8s.io/kubernetes ⟩ grep github.com/dgrijalva/jwt-go go.mod >``` > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.