Skip to content

chore: Bump Dependencies Due To Vulnerability Findings#64

Open
clavinjune wants to merge 2 commits into
BaritoLog:masterfrom
clavinjune:chore/bump-dependencies
Open

chore: Bump Dependencies Due To Vulnerability Findings#64
clavinjune wants to merge 2 commits into
BaritoLog:masterfrom
clavinjune:chore/bump-dependencies

Conversation

@clavinjune
Copy link
Copy Markdown
Contributor

@clavinjune clavinjune commented Oct 17, 2024
edited
Loading

Before 
go run golang.org/x/vuln/cmd/govulncheck@latest -show verbose ./...
Scanning your code and 381 packages across 50 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2911
    go-grpc-compression has a zstd decompression bombing vulnerability in
    github.com/mostynb/go-grpc-compression
  More info: https://pkg.go.dev/vuln/GO-2024-2911
  Module: github.com/mostynb/go-grpc-compression
    Found in: github.com/mostynb/go-grpc-compression@v1.1.12
    Fixed in: github.com/mostynb/go-grpc-compression@v1.2.3
    Example traces found:
      #1: router/producer_router.go:298:39: router.producerRouter.handleProduce calls producer.producerClient.Produce, which eventually calls zstd.compressor.Compress
      #2: router/producer_router.go:298:39: router.producerRouter.handleProduce calls producer.producerClient.Produce, which eventually calls zstd.compressor.Decompress
      #3: router/producer_router.go:17:2: router.init calls zstd.init
      #4: router/producer_router.go:298:39: router.producerRouter.handleProduce calls producer.producerClient.Produce, which eventually calls zstd.zstdWriteCloser.Close
      #5: router/producer_router.go:298:39: router.producerRouter.handleProduce calls producer.producerClient.Produce, which eventually calls zstd.zstdWriteCloser.Write

Vulnerability #2: GO-2022-0322
    Uncontrolled resource consumption in github.com/prometheus/client_golang
  More info: https://pkg.go.dev/vuln/GO-2022-0322
  Module: github.com/prometheus/client_golang
    Found in: github.com/prometheus/client_golang@v1.9.0
    Fixed in: github.com/prometheus/client_golang@v1.11.1
    Example traces found:
      #1: main.go:84:42: barito.main calls promhttp.Handler
      #2: router/kibana_router.go:120:32: router.kibanaRouter.ServeHTTP calls reverseproxy.ReverseProxy.ServeHTTP, which eventually calls promhttp.flusherDelegator.Flush
      #3: router/kibana_router.go:213:22: router.kibanaRouter.ServeElasticsearch calls io.Copy, which eventually calls promhttp.readerFromDelegator.ReadFrom
      #4: router/authentication_middleware.go:139:10: router.SSOClient.HandleCallback calls promhttp.responseWriterDelegator.Write
      #5: router/kibana_router.go:212:15: router.kibanaRouter.ServeElasticsearch calls promhttp.responseWriterDelegator.WriteHeader
      #6: main.go:89:2: barito.main calls http.ListenAndServe, which eventually calls promhttp.sanitizeMethod

=== Package Results ===

Vulnerability #1: GO-2024-2978
    Private tokens could appear in logs if context containing gRPC metadata is
    logged in google.golang.org/grpc
  More info: https://pkg.go.dev/vuln/GO-2024-2978
  Module: google.golang.org/grpc
    Found in: google.golang.org/grpc@v1.64.0
    Fixed in: google.golang.org/grpc@v1.64.1

=== Module Results ===

No other vulnerabilities found.

Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 1 vulnerability in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
exit status 3
After 
go run golang.org/x/vuln/cmd/govulncheck@latest -show verbose ./...
Scanning your code and 383 packages across 50 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

No vulnerabilities found.

@clavinjune
chore: execute gofmt -w -s
9a9699d 
Signed-off-by: clavinjune <24659468+clavinjune@users.noreply.github.com>
@clavinjune clavinjune self-assigned this Oct 17, 2024
@clavinjune clavinjune marked this pull request as draft October 17, 2024 11:16
@clavinjune clavinjune changed the title Draft: chore: Bump Dependencies Due To Vulnerability Findings chore: Bump Dependencies Due To Vulnerability Findings Oct 17, 2024
@clavinjune
chore: bump dependencies
98943ca 
Signed-off-by: clavinjune <24659468+clavinjune@users.noreply.github.com>
@clavinjune clavinjune marked this pull request as ready for review October 17, 2024 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bentol bentol Awaiting requested review from bentol

@fadlinurhasan fadlinurhasan Awaiting requested review from fadlinurhasan

@Abhinav1299 Abhinav1299 Awaiting requested review from Abhinav1299

Assignees

@clavinjune clavinjune

Labels

hacktoberfest-accepted

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clavinjune