Outdated modules that contain vulnerabilities about go-aha HOT 20 CLOSED

Thank you Grokify 🙏
I am waiting for my change to github.com/blend/go-sdk to be merged then I can help you update the dependency chain for the rest of your modules.

from go-aha.

How are you identifying these issues? I'd like to find these as well!

I don't find the issues. They get assigned to me.
The dependency report is created by a script that I wrote.

from go-aha.

I am also opening an issue (in their repo) now for SNYK-GOLANG-GITHUBCOMJACKCPGPROTO3V2-1316251

Opened an issue and submitted a fix.

from go-aha.

Status tracking

Resolved:

1. SNYK-GOLANG-GITHUBCOMCLOUDFLAREGOLZ4-50050 - github.com/cloudflare/golz4

Open:

1. SNYK-GOLANG-GITHUBCOMMIEKGDNS-537825 - github.com/miekg/dns <1.1.25 - to be resolved in blend/go-sdk#248
2. SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 - github.com/dgrijalva/jwt-go <4.0.0-preview1
3. SNYK-GOLANG-GITHUBCOMJACKCPGPROTO3V2-1316251 - github.com/jackc/pgproto3/v2 <2.1.1 - to be resolved in blend/go-sdk#248

from go-aha.

I upgraded the modules on my branch but there are still modules that import the vulnerable jwt module via other modules.

Here is the chain of imports:

〉ggdh 'github.com/dgrijalva/[email protected]+incompatible'
             github.com/grokify/go-aha
                        ⬇
       github.com/grokify/[email protected]
                        ⬇
         github.com/grokify/[email protected]
                        ⬇
        github.com/grokify/[email protected]
                        ⬇
       github.com/blend/[email protected]
                        ⬇
           github.com/spf13/[email protected]
                        ⬇
           github.com/spf13/[email protected]
                        ⬇
  github.com/dgrijalva/[email protected]+incompatible

The problem is actually fixed in latest github.com/spf13/cobra but not in the latest github.com/blend/go-sdk so I will wait before upgrading it.
After it get fixed I can go ahead and update all the imports in dependency chain.

from go-aha.

Go Modules and dependencies have been updated in v0.2.2. github.com/dgrijalva/jwt-go is still in go.sum but the Dependabot warning is gone now.

from go-aha.

Sounds good. Thanks @IzhakJakov. I'll look for the PR. 👍

In the meanwhile, I've released v0.2.3 to reduce some more direct dependencies in my modules.

from go-aha.

Thank you for LMK

from go-aha.

More vulnerabilities found after upgrading to v0.2.3

SNYK-GOLANG-GITHUBCOMMIEKGDNS-537825

〉ggdh 'github.com/miekg/dns'
                     github.com/grokify/go-aha
                                ⬇
                github.com/grokify/[email protected]
                                ⬇
               github.com/blend/[email protected]
                                ⬇
                   github.com/spf13/[email protected]
                                ⬇
                   github.com/spf13/[email protected]
                                ⬇
  github.com/bketelsen/[email protected]
                                ⬇
              github.com/hashicorp/consul/[email protected]
                                ⬇
                 github.com/hashicorp/[email protected]
                                ⬇
                 github.com/hashicorp/[email protected]
                                ⬇
                   github.com/miekg/[email protected]

My change to github.com/blend/go-sdk should fix that as well.

SNYK-GOLANG-GITHUBCOMJACKCPGPROTO3V2-1316251

All the vulnerable deps are again inherited from github.com/blend/go-sdk (v1.20211204.3 to be exact), however, this time my change won't fix it and a more complicate change is needed so I will open an issue in their repo.

SNYK-GOLANG-GITHUBCOMCLOUDFLAREGOLZ4-50050

〉ggdh 'github.com/cloudflare/golz4'
                    github.com/grokify/go-aha
                                ⬇
                github.com/grokify/[email protected]
                                ⬇
                 github.com/astaxie/[email protected]
                                ⬇
  github.com/cloudflare/[email protected]

Fix is currently only in github.com/astaxie/beego in beta release.

from go-aha.

Thanks for the update.

How are you identifying these issues? I'd like to find these as well!

The following is an indirect dependency. Can you identify the direct dependency chain from gocharts to blend/go-sdk?

                github.com/grokify/[email protected]
                                ⬇
               github.com/blend/[email protected]

from go-aha.

Yes I know that's why I made a change in their repo
I am also opening an issue (in their repo) now for SNYK-GOLANG-GITHUBCOMJACKCPGPROTO3V2-1316251

from go-aha.

Yes I know that's why I made a change in their repo I am also opening an issue (in their repo) now for SNYK-GOLANG-GITHUBCOMJACKCPGPROTO3V2-1316251

github.com/jackc/pgproto3/v2 also isn't a direct dependency.

Are you able to identify which direct dependency is pulling these in?

from go-aha.

@IzhakJakov The PR blend/go-sdk#248 was closed, but the following vulnerable dependencies still remain in github.com/blend/go-sdk/go.sum

1. github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
2. github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA=
3. github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod h1:uH0AWtUmuShn0bcesswc4aBTWGvw0cAxIJp+6OB//Wg=
4. github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
5. github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
6. github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
7. github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=

from go-aha.

To resolve the open issues, I located and removed the need for github.com/blend/go-sdk in v0.2.5. This was done by upgrading github.com/grokify/gocharts from using github.com/wcharczuk/go-chart to github.com/wcharczuk/go-chart/v2.

As of now, the following vulnerable modules identified in this thread are no longer dependencies, along with many other eliminated modules.

1. github.com/cloudflare/golz4 - SNYK-GOLANG-GITHUBCOMCLOUDFLAREGOLZ4-50050
2. github.com/dgrijalva/jwt-go - SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
3. github.com/jackc/pgproto3/v2 - SNYK-GOLANG-GITHUBCOMJACKCPGPROTO3V2-1316251
4. github.com/miekg/dns - SNYK-GOLANG-GITHUBCOMMIEKGDNS-537825

Please verify and let me know if anything else is open.

from go-aha.

@IzhakJakov I'm closing this now as it looks like everything has been addressed.

I did post in the PR that the issues are still open in github.com/blend/go-sdk here:

blend/go-sdk#248

Please post if anything else comes up and thanks for reporting this!

from go-aha.

Not everything but yes you should close since there isn't much we can do, blend/go-sdk don't accept commits from outsiders.

My issues1 are still open and I see a few other dependencies have been updated 8 hours ago so I assume they will fix these issues soon.

I will lyk once my issues get a meaningful update.

Footnotes
My issues:

• blend/go-sdk#247
• blend/go-sdk#249

from go-aha.

Not everything but yes you should close since there isn't much we can do, blend/go-sdk don't accept commits from outsiders.

Everything with respect to this module, as blend/go-sdk is no longer a dependency. While blend/go-sdk is no longer used, please post back as I'm curious what happens there now.

To remove blend/go-sdk, I upgraded github.com/wcharczuk/go-chart. I've been meaning to do the upgrade for a while but hadn't gotten around to it.

It seems like your script didn't track the dependency chain to github.com/wcharczuk/go-chart, and could possibly be enhanced.

You reported:

        github.com/grokify/[email protected]
                        ⬇
       github.com/blend/[email protected]

but this was missing github.com/wcharczuk/go-chart. The dependency chain between the two was the following, which I tracked down manually.

        github.com/grokify/[email protected]
                        ⬇
 github.com/wcharczuk/[email protected]+incompatible
                        ⬇
       github.com/blend/[email protected]

Here's the full go.mod for github.com/grokify/[email protected]. Of note, github.com/wcharczuk/go-chart v2.0.1+incompatible is an incompatible package which doesn't seem to be covered by your script yet. It would be great to include incompatible packages. If not, minimally, it would be nice to indicate which packages are indirect to show a package may be not present in the report.

https://github.com/grokify/gocharts/blob/v1.16.3/go.mod

module github.com/grokify/gocharts

go 1.16

require (
	github.com/360EntSecGroup-Skylar/excelize v1.4.1
	github.com/blend/go-sdk v1.20211204.3 // indirect
	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
	github.com/grokify/elastirad-go v0.1.4
	github.com/grokify/mogo v0.32.3
	github.com/jessevdk/go-flags v1.5.0
	github.com/mattn/go-runewidth v0.0.13 // indirect
	github.com/olekukonko/tablewriter v0.0.5
	github.com/pkg/errors v0.9.1
	github.com/valyala/quicktemplate v1.7.0
	github.com/wcharczuk/go-chart v2.0.1+incompatible
	golang.org/x/sys v0.0.0-20211210111614-af8b64212486 // indirect
	google.golang.org/protobuf v1.27.1 // indirect
)

Thanks for your posts and sharing your script! I might end up using it for other issues!

And of course, it's great to get this resolved 👍

from go-aha.

Oh nice, I think no blend/go-sdk is a good idea :)

I am not why my script is not detecting this but can try to investigate tomorrow.
My script is not perfect unfortunately and relies on go mod graph which isn't perfect either :/

from go-aha.

Looks like the reason github.com/wcharczuk/go-chart v2.0.1+incompatible was left out by my script is because it does not have go.mod&go.sum.
In order to not contaminate this issue, would you mind opening an issue (nothing fancy) on the script's repo and explain how you found this dep manually?

from go-aha.

Looks like the reason github.com/wcharczuk/go-chart v2.0.1+incompatible was left out by my script is because it does not have go.mod&go.sum.

Agreed. A module indicated as incompatible means it's not managed under Go modules and has no go.mod file.

In order to not contaminate this issue, would you mind opening an issue (nothing fancy) on the script's repo and explain how you found this dep manually?

Done! 👍

from go-aha.