Closed
Conversation
Member
|
So I fixed this with just bumping redis up in the main branch. I see you are doing this in |
Contributor
Author
|
If I bump I get this diff diff --git a/go.mod b/go.mod
index a92ab4fb..00bea9dc 100644
--- a/go.mod
+++ b/go.mod
@@ -35,7 +35,7 @@ require (
github.com/xeipuuv/gojsonschema v1.2.0
golang.org/x/crypto v0.36.0
golang.org/x/term v0.30.0
- golang.org/x/text v0.23.0
+ golang.org/x/text v0.24.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.32.3
k8s.io/apiextensions-apiserver v0.32.3
@@ -163,7 +163,7 @@ require (
golang.org/x/mod v0.21.0 // indirect
golang.org/x/net v0.37.0 // indirect
golang.org/x/oauth2 v0.23.0 // indirect
- golang.org/x/sync v0.12.0 // indirect
+ golang.org/x/sync v0.13.0 // indirect
golang.org/x/sys v0.31.0 // indirect
golang.org/x/time v0.7.0 // indirect
golang.org/x/tools v0.26.0 // indirect
diff --git a/go.sum b/go.sum
index b0e35d8b..ab117d09 100644
--- a/go.sum
+++ b/go.sum
@@ -437,8 +437,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -478,8 +478,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=but then the scan of vulnerabilities is not good » govulncheck ./...
=== Symbol Results ===
Vulnerability #1: GO-2025-3563
Request smuggling due to acceptance of invalid chunked data in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3563
Standard library
Found in: net/http/internal@go1.23.5
Fixed in: net/http/internal@go1.23.8
Example traces found:
#1: pkg/repo/chartrepo.go:134:26: repo.ChartRepository.DownloadIndexFile calls io.ReadAll, which eventually calls internal.chunkedReader.Read
Vulnerability #2: GO-2025-3540
Potential out of order responses when CLIENT SETINFO times out during
connection establishment in github.com/redis/go-redis
More info: https://pkg.go.dev/vuln/GO-2025-3540
Module: github.com/redis/go-redis/v9
Found in: github.com/redis/go-redis/v9@v9.1.0
Fixed in: github.com/redis/go-redis/v9@v9.6.3
Example traces found:
#1: pkg/action/lazyclient.go:49:17: action.lazyClient.init calls sync.Once.Do, which eventually calls redis.baseClient.initConn
#2: pkg/action/lazyclient.go:49:17: action.lazyClient.init calls sync.Once.Do, which eventually calls redis.baseClient.initConn
#3: pkg/action/lazyclient.go:49:17: action.lazyClient.init calls sync.Once.Do, which eventually calls redis.baseClient.initConn
Vulnerability #3: GO-2025-3447
Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec
More info: https://pkg.go.dev/vuln/GO-2025-3447
Standard library
Found in: crypto/internal/nistec@go1.23.5
Fixed in: crypto/internal/nistec@go1.23.6
Platforms: ppc64le
Example traces found:
#1: pkg/provenance/sign.go:315:39: provenance.Signatory.verifySignature calls openpgp.CheckDetachedSignature, which eventually calls nistec.P256Point.ScalarBaseMult
#2: pkg/provenance/sign.go:315:39: provenance.Signatory.verifySignature calls openpgp.CheckDetachedSignature, which eventually calls nistec.P256Point.ScalarMult
#3: internal/tlsutil/tls.go:62:27: tlsutil.CertPoolFromFile calls x509.CertPool.AppendCertsFromPEM, which eventually calls nistec.P256Point.SetBytes
Your code is affected by 3 vulnerabilities from 1 module and the Go standard library.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.I tried on go 1.23.0 and it's worse benoit.tigeot » govulncheck ./...
=== Symbol Results ===
Vulnerability #1: GO-2025-3563
Request smuggling due to acceptance of invalid chunked data in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3563
Standard library
Found in: net/http/internal@go1.23
Fixed in: net/http/internal@go1.23.8
Example traces found:
#1: pkg/repo/chartrepo.go:134:26: repo.ChartRepository.DownloadIndexFile calls io.ReadAll, which eventually calls internal.chunkedReader.Read
Vulnerability #2: GO-2025-3540
Potential out of order responses when CLIENT SETINFO times out during
connection establishment in github.com/redis/go-redis
More info: https://pkg.go.dev/vuln/GO-2025-3540
Module: github.com/redis/go-redis/v9
Found in: github.com/redis/go-redis/v9@v9.1.0
Fixed in: github.com/redis/go-redis/v9@v9.6.3
Example traces found:
#1: pkg/action/lazyclient.go:49:17: action.lazyClient.init calls sync.Once.Do, which eventually calls redis.baseClient.initConn
#2: pkg/action/lazyclient.go:49:17: action.lazyClient.init calls sync.Once.Do, which eventually calls redis.baseClient.initConn
#3: pkg/action/lazyclient.go:49:17: action.lazyClient.init calls sync.Once.Do, which eventually calls redis.baseClient.initConn
Vulnerability #3: GO-2025-3447
Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec
More info: https://pkg.go.dev/vuln/GO-2025-3447
Standard library
Found in: crypto/internal/nistec@go1.23
Fixed in: crypto/internal/nistec@go1.23.6
Platforms: ppc64le
Example traces found:
#1: pkg/provenance/sign.go:315:39: provenance.Signatory.verifySignature calls openpgp.CheckDetachedSignature, which eventually calls nistec.P256Point.ScalarBaseMult
#2: pkg/provenance/sign.go:315:39: provenance.Signatory.verifySignature calls openpgp.CheckDetachedSignature, which eventually calls nistec.P256Point.ScalarMult
#3: internal/tlsutil/tls.go:62:27: tlsutil.CertPoolFromFile calls x509.CertPool.AppendCertsFromPEM, which eventually calls nistec.P256Point.SetBytes
Vulnerability #4: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3420
Standard library
Found in: net/http@go1.23
Fixed in: net/http@go1.23.5
Example traces found:
#1: internal/monocular/search.go:126:35: monocular.Client.Search calls http.Client.Do
#2: pkg/kube/roundtripper.go:39:37: kube.RetryingRoundTripper.roundTrip calls oidc.roundTripper.RoundTrip, which eventually calls http.Client.Get
#3: pkg/repo/repotest/server.go:128:32: repotest.NewOCIServer calls registry.NewRegistry, which eventually calls http.Client.Post
#4: pkg/plugin/installer/vcs_installer.go:57:26: installer.NewVCSInstaller calls vcs.NewRepo, which eventually calls http.Get
#5: pkg/plugin/installer/installer.go:98:24: installer.isRemoteHTTPArchive calls http.Head
Vulnerability #5: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-3373
Standard library
Found in: crypto/x509@go1.23
Fixed in: crypto/x509@go1.23.5
Example traces found:
#1: internal/tlsutil/tls.go:62:27: tlsutil.CertPoolFromFile calls x509.CertPool.AppendCertsFromPEM
#2: pkg/repo/chartrepo.go:134:26: repo.ChartRepository.DownloadIndexFile calls io.ReadAll, which eventually calls x509.Certificate.Verify
#3: pkg/repo/chartrepo.go:134:26: repo.ChartRepository.DownloadIndexFile calls io.ReadAll, which eventually calls x509.Certificate.VerifyHostname
#4: pkg/repo/repotest/server.go:148:2: repotest.OCIServer.Run calls registry.Registry.ListenAndServe, which eventually calls x509.CreateCertificate
#5: pkg/repo/repotest/server.go:148:2: repotest.OCIServer.Run calls registry.Registry.ListenAndServe, which eventually calls x509.CreateCertificateRequest
#6: pkg/action/install.go:323:93: action.Install.RunWithContext calls x509.HostnameError.Error
#7: pkg/repo/repotest/server.go:148:2: repotest.OCIServer.Run calls registry.Registry.ListenAndServe, which eventually calls x509.MarshalECPrivateKey
#8: pkg/repo/repotest/server.go:148:2: repotest.OCIServer.Run calls registry.Registry.ListenAndServe, which eventually calls x509.MarshalPKCS1PrivateKey
#9: pkg/repo/repotest/server.go:377:16: repotest.Server.StartTLS calls httptest.Server.StartTLS, which calls x509.ParseCertificate
#10: pkg/repo/repotest/server.go:148:2: repotest.OCIServer.Run calls registry.Registry.ListenAndServe, which eventually calls x509.ParseCertificates
#11: internal/tlsutil/tls.go:73:34: tlsutil.CertFromFilePair calls tls.LoadX509KeyPair, which eventually calls x509.ParseECPrivateKey
#12: internal/tlsutil/tls.go:73:34: tlsutil.CertFromFilePair calls tls.LoadX509KeyPair, which eventually calls x509.ParsePKCS1PrivateKey
#13: internal/tlsutil/tls.go:73:34: tlsutil.CertFromFilePair calls tls.LoadX509KeyPair, which eventually calls x509.ParsePKCS8PrivateKey
Your code is affected by 5 vulnerabilities from 1 module and the Go standard library.
This scan also found 2 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details. |
Contributor
Author
|
I have a failing output if I use the same Go version as the CI, The last run was 3 weeks ago. https://github.com/helm/helm/actions/runs/13931751693/job/38990317124 So it's maybe just new vuln |
3 tasks
Contributor
Author
You were right. I've open a new pr with the change. #30745 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
This is a new attempt for #30729. Locally I had 3 failures in the
govulncheckon upgrade https://github.com/helm/helm/actions/runs/14321078449/job/40137956356?pr=30729Not sure if it's ok to bump Go to this version.
Special notes for your reviewer:
If applicable:
docs neededlabel should be applied if so)