search

shaj13 / go-guardian

Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.
MIT License
559 stars 56 forks source link

upgraded go-jose library version to mitigate CVE-2024-28180 #132

Closed hmgowda closed 3 months ago

hmgowda commented 3 months ago

Github security scan (dependabot) and checkmarx has reported a CVE in this library that is introduced through gopkg.in/square/go-jose.v2 v2.5.1.

CVE information can be found here : https://github.com/advisories/GHSA-c5q2-7r4c-mv6g The version of go-jose library need to updated. The patch containing the fix is gopkg.in/go-jose/go-jose.v2@v2.6.3

hmgowda commented 3 months ago

@shaj13 here are the test results for auth/strategies/jwt

/shaj13/go-guardian/v2/auth/strategies/jwt"} === RUN TestSetAudience --- PASS: TestSetAudience (0.00s) === RUN TestSetIssuer --- PASS: TestSetIssuer (0.00s)

=== RUN TestSetExpDuration --- PASS: TestSetExpDuration (0.00s) === RUN TestStaticSecretGet === RUN TestStaticSecretGet/StaticSecretGet_always_return_same_secret --- PASS: TestStaticSecretGet/StaticSecretGet_always_return_same_secret (0.00s) === RUN TestStaticSecretGet/StaticSecretGet_return_error_when_kid_invalid --- PASS: TestStaticSecretGet/StaticSecretGet_return_error_when_kid_invalid (0.00s) --- PASS: TestStaticSecretGet (0.00s) === RUN TestToken --- PASS: TestToken (0.00s) === RUN TestTokenAlg --- PASS: TestTokenAlg (0.00s) === RUN TestTokenKID --- PASS: TestTokenKID (0.00s) === RUN TestNewToken --- PASS: TestNewToken (0.00s) === RUN Example --- PASS: Example (0.00s) === RUN Example_scope --- PASS: Example_scope (0.00s)

=== RUN ExampleSecretsKeeper --- PASS: ExampleSecretsKeeper (0.15s) PASS ok github.com/shaj13/go-guardian/v2/auth/strategies/jwt (cached)

Process finished with the exit code 0

shaj13 commented 3 months ago

LGTM