Open ErnestK opened 6 months ago
gm @ErnestK, thanks for this report. I think there are some opportunities here to grab the low hanging fruit.
// horusec: ignore HS-LEAKS-26
)To make things easier for review, I recommend sending multiple PRs to resolve the issues. I.e. send all minor dependency updates in one PR, any exclusions in another PR, any individual fixes in their own PRs. This makes review easier and makes maintainer bug hunting easier as we could review better scoped commits for issues.
@ErnestK are you interested in submitting a PR to resolve some of these reported issues?
@prestonvanloon Yes, I will analyze all the issues and endeavor to work on this task. It would be great to include Horusec in the CI process.
@prestonvanloon I created the first small pull request (PR) with updates to two gems that require no additional work. Now I'm working on addressing the vulnerabilities from the list, starting with the smallest issues and progressing to the larger ones.
I have sorted all vulnerabilities, eliminated duplicates, and ranked them
Easiest Updates (Simple Updates):
github.com/microcosm-cc/bluemonday
from v1.0.1
to v1.0.5
(Minor version increment - patch update), likely straightforward with minimal changes.github.com/nats-io/jwt
from v0.3.2
to v2.0.1
(Major version jump), but update might be manageable if backward compatibility is maintained.github.com/dgrijalva/jwt-go
from v3.2.0
to 4.0.0-preview1
github.com/go-yaml/yaml
from v2.1.0
to v2.2.4
google.golang.org/protobuf
from v1.32.0
to v1.33.0
(Incremental version change - minor update), typically safe with minimal impact. https://github.com/prysmaticlabs/prysm/pull/14024golang.org/x/net
from v0.21.0
to v0.23.0
(Incremental version change - minor update), may require compatibility checks but generally straightforward. https://github.com/prysmaticlabs/prysm/pull/13912Moderate Updates (Intermediate Updates):
github.com/aws/aws-sdk-go
from v1.27.0
to v1.34.0
(Moderate version increment - minor update), potentially introducing new features or adjustments.github.com/nats-io/nats-server/v2
from v2.1.2
to v2.7.2
(Incremental version change - minor update), possibly including enhancements or bug fixes.github.com/buger/jsonparser
from v0.0.0-20181115193947-bf1c66bbce23
to v1.1.1
(Major version transition - breaking change), may require code adjustments and thorough testing.Complex Updates (Challenging Updates):
go.etcd.io/etcd
from v0.0.0-20191023171146-3cf2f69b5738
to v3.4.10
(Major version jump - breaking change), likely involving significant updates and compatibility considerations.github.com/elazarl/goproxy
from v0.0.0-20180725130230-947c36da3153
to v0.0.0-20230731152917-f99041a5c027
(Major version transition - breaking change), potentially requiring substantial refactoring.github.com/labstack/echo/v4
from v4.2.1
to v4.9.0
(Incremental version change - minor update), may introduce new features or adjustments.github.com/emicklei/go-restful
from v0.0.0-20170410110728-ff4f55a20633
to v2.16.0
(Major version jump - breaking change), likely requiring significant code updates and testing.Putting it All Together:
💎 Issue
Description
Hello,
I've been considering participating in the project and contributing. My attention was drawn to this task, https://github.com/prysmaticlabs/prysm/issues/9975.
I ran horusec-beta on prysm, and the result was a bit different than I expected.
Most vulnerabilities are related to library versions, but they can be fixed.
Are library updates covered by tests? Should I take on this task?
ps report attached below
horusec_report.json