chore: Update dependencies to address CVEs#3754
Merged
Conversation
Updated the dependency with the command: go get github.com/btcsuite/btcd/btcutil Relevant package updated: go: upgraded github.com/btcsuite/btcd v0.23.0 => v0.23.5-0.20231215221805-96c9fd8078fd
Updated the dependency with the command: go get go get github.com/moby/buildkit Relevant package updated: go: upgraded github.com/moby/buildkit v0.10.4 => v0.15.1
Found the corresponding dependency: go mod graph | grep github.com/nats-io/nats-server/v2 > github.com/go-kit/kit@v0.12.0 github.com/nats-io/nats-server/v2@v2.5.0 Updated the dependency with the command: go get github.com/go-kit/kit The dependency updated after updating: go mod graph | grep github.com/nats-io/nats-server/v2 > github.com/go-kit/kit@v0.13.0 github.com/nats-io/nats-server/v2@v2.8.4
Change was performed in line 100 of go.mod file in commit 960870c Checking updated dependency: go mod graph | grep github.com/emicklei/go-restful > github.com/containerd/containerd@v1.7.19 github.com/emicklei/go-restful/v3@v3.10.1
…2024-23653 We've update the github.com/moby/buildkit to newer version in the commit 960870c, but then verified there's one dependency using old buildkit version(this means that CVE-2024-23653 wasn't addressed): go mod graph | grep github.com/moby/buildkit > github.com/bufbuild/buf@v1.9.0 github.com/moby/buildkit@v0.10.4 Updated github.com/bufbuild/buf version to latest and newer version doesn't use buildkit anymore.
…22-24450 Update of the github.com/go-kit/kit to v0.13.0 in commit f5787ef addressed the CVE-2022-24450 Check: go mod graph | grep github.com/nats-io/nats-server/v2 > github.com/go-kit/kit@v0.13.0 github.com/nats-io/nats-server/v2@v2.8.4
Updated the dependency with the command: go get github.com/adlio/schema Check: go mod graph | grep github.com/docker/docker > github.com/tendermint/tendermint github.com/docker/docker@v27.0.3+incompatible > github.com/adlio/schema@v1.3.6 github.com/docker/docker@v24.0.9+incompatible > github.com/bufbuild/buf@v1.36.0 github.com/docker/docker@v27.0.0+incompatible > github.com/bufbuild/buf@v1.36.0 github.com/docker/docker-credential-helpers@v0.8.2 > github.com/moby/buildkit@v0.15.1 github.com/docker/docker@v27.0.3+incompatible > github.com/moby/buildkit@v0.15.1 github.com/docker/docker-credential-helpers@v0.8.2
Change was performed in line 218 of go.mod file in commit a20047a Checking updated dependency: go mod graph | grep github.com/opencontainers/runc > github.com/adlio/schema@v1.3.6 github.com/opencontainers/runc@v1.1.12
Change was performed in line 218 of go.mod file in commit a20047a Checking updated dependency: go mod graph | grep github.com/opencontainers/runc > github.com/adlio/schema@v1.3.6 github.com/opencontainers/runc@v1.1.12
Change was performed in line 218 of go.mod file in commit a20047a Checking updated dependency: go mod graph | grep github.com/opencontainers/runc > github.com/adlio/schema@v1.3.6 github.com/opencontainers/runc@v1.1.12
…23651 Run command: go get github.com/btcsuite/btcd/btcutil@v1.1.6 Output: go: upgraded github.com/btcsuite/btcd v0.23.5-0.20231215221805-96c9fd8078fd => v0.24.2
4 tasks
Collaborator
Author
Collaborator
Author
Thanks for the PR 🙏 Ported it to cometbft/cometbft-load-test#32. It will be released in |
melekes
commented
Aug 19, 2024
``` Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/runtime/time.go:174:17: cannot range over 3 (untyped int constant) Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/reflect/iter.go:67:19: cannot range over v.Len() (value of type int) Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/reflect/iter.go:75:19: cannot range over v.Len() (value of type int) Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/reflect/iter.go:131:19: cannot range over v.Len() (value of type int) Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/reflect/iter.go:139:19: cannot range over v.Len() (value of type int) Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/reflect/type.go:2320:19: cannot range over num (variable of type int) Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/slices/iter.go:50:17: cannot range over seq (variable of type iter.Seq[E]) Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/unique/clone.go:76:12: cannot range over atyp.Len (variable of type uintptr) Error: /home/runner/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/maps/iter.go:51:20: cannot range over seq (variable of type iter.Seq2[K, V]) ```
3 tasks
alesforz
approved these changes
Aug 20, 2024
This was referenced Aug 22, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Author: AlexsandroRyan
This pull request addresses all CVEs reported by the Checkmarx tool during its execution on this repository.
The previous discussion can be found here: https://github.com/cometbft/cometbft/discussions/3558.
I have updated all necessary dependencies to fix the identified CVEs, but some vulnerabilities remain unresolved. I would appreciate any assistance in addressing these remaining issues.
CVE-2021-3538: This issue is related to the github.com/satori/go.uuid package, which is a dependency of tm-load-test. We have already submitted a PR to address this: Replace vulnerable satori/go.uuid with google/uuid informalsystems/tm-load-test#221.
CVE-2024-24786: This vulnerability pertains to the google.golang.org/protobuf package. Running go mod graph | grep google.golang.org/protobuf reveals that many packages are using the vulnerable version. It’s unclear if updating them individually is feasible.
CVE-2024-34478: This vulnerability is associated with github.com/btcsuite/btcd, a dependency of github.com/btcsuite/btcd/btcutil, which is currently used at a version lower than 0.24.0. We have also submitted a pull request for this: Updated btcd dependency of btcutil to address CVE-2024-34478 btcsuite/btcd#2235.
Please let us know if this approach is sufficient or if there is a more efficient way to resolve these issues.
PR checklist
Tests written/updatedChangelog entry added in.changelog(we use unclog to manage our changelog)Updated relevant documentation (docs/orspec/) and code comments