search

mimiro-io / datahub-cli

The MIMIRO Data Hub CLI, known as mim, provides command line control over a MIMIRO data hub instance or any Universal Data Specification (UDA) compliant endpoint
Apache License 2.0
5 stars 2 forks source link

chore: patch CVE-2023-45288, upgrade to supported version of Go #202

Closed ingve closed 8 months ago

ingve commented 8 months ago

Fixes

Scanning your code and 393 packages across 71 dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.17.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: pkg/api/job.go:103:29: api.JobManager.GetJob calls http2.ConnectionError.Error
      #2: pkg/api/entities.go:393:44: api.ConsoleSink.ProcessEntities calls fmt.Sprintf, which eventually calls http2.ErrCode.String
      #3: pkg/api/entities.go:393:44: api.ConsoleSink.ProcessEntities calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
      #4: pkg/api/entities.go:393:44: api.ConsoleSink.ProcessEntities calls fmt.Sprintf, which eventually calls http2.FrameType.String
      #5: pkg/api/job.go:103:29: api.JobManager.GetJob calls http2.GoAwayError.Error
      #6: pkg/api/entities.go:393:44: api.ConsoleSink.ProcessEntities calls fmt.Sprintf, which eventually calls http2.Setting.String
      #7: pkg/api/entities.go:393:44: api.ConsoleSink.ProcessEntities calls fmt.Sprintf, which eventually calls http2.SettingID.String
      #8: pkg/api/job.go:103:29: api.JobManager.GetJob calls http2.StreamError.Error
      #9: pkg/api/query.go:81:2: api.EntityQuery.Query calls http.http2transportResponseBody.Close, which eventually calls http2.chunkWriter.Write
      #10: pkg/api/job.go:103:29: api.JobManager.GetJob calls http2.connError.Error
      #11: pkg/api/job.go:103:29: api.JobManager.GetJob calls bbolt.panicked.Error, which calls http2.duplicatePseudoHeaderError.Error
      #12: pkg/api/query.go:81:2: api.EntityQuery.Query calls http2.gzipReader.Close
      #13: internal/web/web.go:191:30: web.PutRequest calls io.ReadAll, which calls http2.gzipReader.Read
      #14: pkg/api/job.go:103:29: api.JobManager.GetJob calls bbolt.panicked.Error, which calls http2.headerFieldNameError.Error
      #15: pkg/api/job.go:103:29: api.JobManager.GetJob calls bbolt.panicked.Error, which calls http2.headerFieldValueError.Error
      #16: pkg/api/job.go:103:29: api.JobManager.GetJob calls bbolt.panicked.Error, which calls http2.pseudoHeaderError.Error
      #17: pkg/api/query.go:81:2: api.EntityQuery.Query calls http.http2transportResponseBody.Close, which eventually calls http2.stickyErrWriter.Write
      #18: pkg/api/query.go:81:2: api.EntityQuery.Query calls http2.transportResponseBody.Close
      #19: internal/web/web.go:191:30: web.PutRequest calls io.ReadAll, which calls http2.transportResponseBody.Read
      #20: pkg/api/entities.go:393:44: api.ConsoleSink.ProcessEntities calls fmt.Sprintf, which eventually calls http2.writeData.String

Your code is affected by 1 vulnerability from 1 module.

Also