Skip to content

nancy: ignore go-retryablehttp@v0.7.4#2559

Merged
zzzckck merged 1 commit intobnb-chain:developfrom
zzzckck:nancy_ignore_2
Jul 2, 2024
Merged

nancy: ignore go-retryablehttp@v0.7.4#2559
zzzckck merged 1 commit intobnb-chain:developfrom
zzzckck:nancy_ignore_2

Conversation

@zzzckck
Copy link
Copy Markdown
Collaborator

@zzzckck zzzckck commented Jul 2, 2024

Description

Detected Nancy failure:


pkg:golang/github.com/hashicorp/go-retryablehttp@v0.7.4
1 known vulnerabilities affecting installed version 
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2024-6104] CWE-532: Information Exposure Through Log Files                                                                                                                                                                 ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to                                                                                                                                 ┃
┃                    ┃ its log file. This could lead to go-retryablehttp writing sensitive HTTP                                                                                                                                   ┃
┃                    ┃ basic auth credentials to its log file. This vulnerability, CVE-2024-6104,                                                                                                                                 ┃
┃                    ┃ was fixed in go-retryablehttp 0.7.7.                                                                                                                                                                       ┃
��━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫

go-retryablehttp is imported indirectly by cloudflare-go, which is only used for cmd/devp2p, the vulnerability is limited. Update the go-retryablehttp to v0.7.7 will upgrade many other dependencies, so we can delay this upgrade right now.

go mod why -m github.com/hashicorp/go-retryablehttp
# github.com/hashicorp/go-retryablehttp
github.com/ethereum/go-ethereum/cmd/devp2p
github.com/cloudflare/cloudflare-go
github.com/hashicorp/go-retryablehttp

Rationale

NA

Example

NA

@zzzckck zzzckck changed the title nancy: ignore go-retryablehttp@v0.7.4 in .nancy-ignore nancy: ignore go-retryablehttp@v0.7.4 Jul 2, 2024
@zzzckck zzzckck merged commit 51e27f9 into bnb-chain:develop Jul 2, 2024
This was referenced Jul 17, 2024
Merged
Merged
@zzzckck zzzckck deleted the nancy_ignore_2 branch May 14, 2025 06:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zlacfzy zlacfzy zlacfzy approved these changes

@galaio galaio Awaiting requested review from galaio

+2 more reviewers

@MatusKysel MatusKysel MatusKysel approved these changes

@buddh0 buddh0 buddh0 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zzzckck @MatusKysel @buddh0 @zlacfzy