Fend off adding dependencies with Vulnerabilities

[naveensrinivasan]

Background

The lnd introduced 4 CVE/OSV between 0.13.0 and 0.13.1-beta.

The 0.13.0 had 0 OSV.

Here is a comparison between 0.13.0 and 0.13.1-beta https://deps.dev/go/github.com%2Flightningnetwork%2Flnd/v0.13.0-beta.rc5.0.20210921132504-8d8db527237e/compare?v2=v0.13.1-beta

Here is an example of fixing all these OSV's https://github.com/naveensrinivasan/lnd/compare/master...naveen/fix-all-cves

Possible solution

The goal is to avoid this in the future when the PR comes into the repository so that it helps to decide whether to merge the PR or not.

shameless plug https://github.com/naveensrinivasan/stunning-tribble

stunning-tribble will scan your go dependencies for OSV.

How do I use this tool?

• go install github.com/naveensrinivasan/stunning-tribble@latest
• Navigate to your go.mod folder
• go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all | stunning-tribble
• If there aren't issues, it will exit without an error.
• If it finds any Vulnerability, it will print the vulnerability and exit with 1
• Integrate it part of CI

Does it handle replace directives?

Yes, go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all

How do I trust stunning-tribble?

stunning-tribble has 0 dependencies https://github.com/naveensrinivasan/stunning-tribble/blob/main/go.sum and please fork it or pin it by an SHA and use it.

[Roasbeef]

So perhaps we should add this to our CI pipeline?

[naveensrinivasan]

So perhaps we should add this to our CI pipeline?

Yes, that is the idea.