Security vulnerabilities report

[TheoBrigitte]

Summary

On latest master , nancy found 4 vulnerable dependencies with 5 high to critical CVEs.

• pkg:golang/github.com/kataras/iris/v12@v12.1.8 : CVE-2021-23772 ( CVSS Score : 8.8/10 (High) )
• pkg:golang/github.com/microcosm-cc/bluemonday@v1.0.2 : CVE-2021-42576 ( CVSS Score : 9.8/10 (Critical )
• pkg:golang/github.com/nats-io/jwt@v0.3.0 : CVE-2020-26892 ( CVSS Score : 9.8/10 (Critical) )
• pkg:golang/github.com/nats-io/jwt@v0.3.0 : CVE-2021-3127 ( CVSS Score : 7.5/10 (High) )
• pkg:golang/github.com/valyala/fasthttp@v1.6.0 : CVE-2022-21221 ( CVSS Score : 7.5/10 (High) )

Steps To Reproduce

$ git checkout master
$ CGO_ENABLED=0 go list -json -m all | nancy sleuth --skip-update-check --quiet -x /dev/null
...

5 Vulnerable Packages

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                       ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
┃ Audited Dependencies    ┃ 129 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
┃ Vulnerable Dependencies ┃ 5   ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛

Expected Behavior

Zero security vulnerability found.

$ CGO_ENABLED=0 go list -json -m all | nancy sleuth --skip-update-check --quiet -x /dev/null
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                       ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
┃ Audited Dependencies    ┃ 136 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
┃ Vulnerable Dependencies ┃ 0   ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛

Environment

- Go version: 1.19
- Nancy version: 1.0.37-1
- sentry-go version: 26ea60338007cb88445870a06353fb79df9d8338

Additional context

This was already reported in multiple issues: #423 #438 #445

[mmgfrcs]

Any news on this?

[TheoBrigitte]

This was merged into master (commit 33f7b69)