Commit ed38681
authored
go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880)
* gha: remove go1.17, temporarily force 1.18.7, 1.19.2
The security scanner is flagging the code to have a vulnerability, but it's
detecting that we're running go1.18.6, not "latest" (go1.18.7 at time of writing).
Temporarily pinning to go1.18.7 to force installing the latest version:
Vulnerability #1: GO-2022-1039
Programs which compile regular expressions from untrusted
sources may be vulnerable to memory exhaustion or denial of
service. The parsed regexp representation is linear in the size
of the input, but in some cases the constant factor can be as
high as 40,000, making relatively small regexps consume much
larger amounts of memory. After fix, each regexp being parsed is
limited to a 256 MB memory footprint. Regular expressions whose
representation would use more space than that are rejected.
Normal use of regular expressions is unaffected.
Call stacks in your code:
Error: helpers.go:463:26: github.com/securego/gosec/v2.ExcludedDirsRegExp calls regexp.MustCompile, which eventually calls regexp/syntax.Parse
Found in: regexp/[email protected]
Fixed in: regexp/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-1039
Signed-off-by: Sebastiaan van Stijn <[email protected]>
* go.mod: github.com/onsi/ginkgo/v2 v2.3.1
CI was failing because of a mismatch:
/home/runner/go/bin/ginkgo -v --fail-fast
Ginkgo detected a version mismatch between the Ginkgo CLI and the version of Ginkgo imported by your packages:
Ginkgo CLI Version:
2.3.1
Mismatched package versions found:
2.2.0 used by gosec
Signed-off-by: Sebastiaan van Stijn <[email protected]>
* go.mod: golang.org/x/text v0.3.8
to address GO-2022-1059
The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability #1: GO-2022-1059
An attacker may cause a denial of service by crafting an Accept-Language
header which ParseAcceptLanguage will take significant time to parse.
Found in: golang.org/x/text/[email protected]
Fixed in: golang.org/x/text/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-1059
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>1 parent 8466173 commit ed38681
3 files changed
+12
-13
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
14 | | - | |
15 | | - | |
16 | | - | |
| 14 | + | |
| 15 | + | |
17 | 16 | | |
18 | 17 | | |
19 | 18 | | |
| |||
45 | 44 | | |
46 | 45 | | |
47 | 46 | | |
48 | | - | |
| 47 | + | |
49 | 48 | | |
50 | 49 | | |
51 | 50 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
9 | | - | |
10 | | - | |
| 9 | + | |
| 10 | + | |
11 | 11 | | |
12 | 12 | | |
13 | | - | |
| 13 | + | |
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
256 | 256 | | |
257 | 257 | | |
258 | 258 | | |
259 | | - | |
260 | | - | |
| 259 | + | |
| 260 | + | |
261 | 261 | | |
262 | | - | |
263 | | - | |
| 262 | + | |
| 263 | + | |
264 | 264 | | |
265 | 265 | | |
266 | 266 | | |
| |||
497 | 497 | | |
498 | 498 | | |
499 | 499 | | |
500 | | - | |
501 | | - | |
| 500 | + | |
| 501 | + | |
502 | 502 | | |
503 | 503 | | |
504 | 504 | | |
| |||
0 commit comments