Open naveensrinivasan opened 2 years ago
The lnd introduced 4 CVE/OSV between 0.13.0 and 0.13.1-beta.
lnd
4
0.13.0
0.13.1-beta
The 0.13.0 had 0 OSV.
0
Here is a comparison between 0.13.0 and 0.13.1-beta https://deps.dev/go/github.com%2Flightningnetwork%2Flnd/v0.13.0-beta.rc5.0.20210921132504-8d8db527237e/compare?v2=v0.13.1-beta
Here is an example of fixing all these OSV's https://github.com/naveensrinivasan/lnd/compare/master...naveen/fix-all-cves
The goal is to avoid this in the future when the PR comes into the repository so that it helps to decide whether to merge the PR or not.
shameless plug https://github.com/naveensrinivasan/stunning-tribble
stunning-tribble will scan your go dependencies for OSV.
go install github.com/naveensrinivasan/stunning-tribble@latest
go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all
Yes, go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all
stunning-tribble
stunning-tribble has 0 dependencies https://github.com/naveensrinivasan/stunning-tribble/blob/main/go.sum and please fork it or pin it by an SHA and use it.
So perhaps we should add this to our CI pipeline?
Yes, that is the idea.
Background
The
lnd
introduced4
CVE/OSV between0.13.0
and0.13.1-beta
.The
0.13.0
had0
OSV.Here is a comparison between
0.13.0
and0.13.1-beta
https://deps.dev/go/github.com%2Flightningnetwork%2Flnd/v0.13.0-beta.rc5.0.20210921132504-8d8db527237e/compare?v2=v0.13.1-betaHere is an example of fixing all these OSV's https://github.com/naveensrinivasan/lnd/compare/master...naveen/fix-all-cves
Possible solution
The goal is to avoid this in the future when the PR comes into the repository so that it helps to decide whether to merge the PR or not.
shameless plug https://github.com/naveensrinivasan/stunning-tribble
stunning-tribble will scan your go dependencies for OSV.
How do I use this tool?
go install github.com/naveensrinivasan/stunning-tribble@latest
go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all
| stunning-tribbleDoes it handle replace directives?
Yes,
go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all
How do I trust
stunning-tribble
?stunning-tribble has
0
dependencies https://github.com/naveensrinivasan/stunning-tribble/blob/main/go.sum and please fork it or pin it by an SHA and use it.