Closed dveeden closed 3 hours ago
See the beautiful fix in tidb. The fix is more elegant. The main thing here is to update the version of the tidb dependency. This change is forward compatible with the golang version: the runtime.Version() method exists at least in go 1.0.0.
dvaneeden@dve-carbon:~/dev/pingcap/tidb-tools$ govulncheck ./...
=== Symbol Results ===
Vulnerability #1: GO-2024-2918
Azure Identity Libraries Elevation of Privilege Vulnerability in
github.com/Azure/azure-sdk-for-go/sdk/azidentity
More info: https://pkg.go.dev/vuln/GO-2024-2918
Module: github.com/Azure/azure-sdk-for-go/sdk/azidentity
Found in: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.5.1
Fixed in: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.6.0
Example traces found:
#1: pkg/utils/util.go:50:30: utils.GetJSON calls ioutil.ReadAll, which eventually calls azidentity.ClientSecretCredential.GetToken
Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.
Timeline:
2024-11-22 14:01:46.482087904 +0000 UTC m=+213094.101742420
: :ballot_box_with_check: agreed by Defined2014.[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: Defined2014, mjonss
The full list of commands accepted by this bot can be found here.
The pull request process is described here
What problem does this PR solve?
Issue Number: close #813 ref #819
Also resolves https://github.com/pingcap/tidb-tools/security/dependabot/28
What is changed and how it works?
Check List
Tests