Snyk Issues

[efectn]

We want to add Pgx to https://github.com/gofiber/storage but we're getting some Snyk errors. Can you check them? Thanks!
Ref PR: gofiber/storage#153

High-Level Errors:

• CVE-2020-14040
  Introduced through: golang.org/x/text/encoding/unicode - github.com/gofiber/storage/postgres@0.0.0 › github.com/jackc/pgx@v5.0.4 › golang.org/x/text@v0.3.8 › golang.org/x/mod@v0.6.0-dev.0.20220419223038-86c51ed26bb4 › golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e › golang.org/x/net@v0.0.0-20190620200207-3b0461eec859 › golang.org/x/text@v0.3.0
• CVE-2021-44716
  Introduced through: github.com/gofiber/storage/postgres@0.0.0 › github.com/jackc/pgx@v5.0.4 › golang.org/x/text@v0.3.8 › golang.org/x/mod@v0.6.0-dev.0.20220419223038-86c51ed26bb4 › golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e › golang.org/x/net@v0.0.0-20190620200207-3b0461eec859
  Introduced through: github.com/gofiber/storage/postgres@0.0.0 › github.com/jackc/pgx@v5.0.4 › golang.org/x/text@v0.3.8 › golang.org/x/mod@v0.6.0-dev.0.20220419223038-86c51ed26bb4 › golang.org/x/crypto@v0.0.0-20210921155107-089bfa567519 › golang.org/x/net@v0.0.0-20210226172049-e18ecbb05110
  Introduced through: github.com/gofiber/storage/postgres@0.0.0 › github.com/jackc/pgx@v5.0.4 › golang.org/x/crypto@v0.0.0-20220829220503-c86fa9a7ed90 › golang.org/x/net@v0.0.0-20211112202133-69e39bad7dc2
• CVE-2022-28948
  Introduced through: github.com/gofiber/storage/postgres@0.0.0 › github.com/jackc/pgx@v5.0.4 › github.com/jackc/puddle@v2.0.0 › github.com/stretchr/objx@v0.4.0 › github.com/stretchr/testify@v1.7.1 › gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c
• CVE-2020-29652
  Introduced through: github.com/gofiber/storage/postgres@0.0.0 › github.com/jackc/pgx@v5.0.4 › golang.org/x/text@v0.3.8 › golang.org/x/mod@v0.6.0-dev.0.20220419223038-86c51ed26bb4 › golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e › golang.org/x/net@v0.0.0-20190620200207-3b0461eec859 › golang.org/x/crypto@v0.0.0-20190308221718-c2843e01d9a2

I think it would be solve problems to update testify (main & puddle), golang.org/x/text, golang.org/x/crypto

[sixcolors]

@efectn Synk does not consider which packages are used in build only which packages are listed in the go.mod and the packages go.mod files.

When you look at errors you see that they loop through multiple versions of the same packages to arrive at vulenerable versions; however if you run go list -deps -f '{{define "M"}}{{.Path}}@{{.Version}}{{end}}{{with .Module}}{{if not .Main}}{{if .Replace}}{{template "M" .Replace}}{{else}}{{template "M" .}}{{end}}{{end}}{{end}}' | sort -u on pgx you will see which packages are used in the build.

Frusterating that Snyk go.mod scanning creates so much noise, this came up before v5 #1054 with looping test dependancies.

I don't have time to dig in myself this morning, but from the CVE resursion listed I would guess there are some false positives here.

Hope that helps.

[ARolek]

An alternative would be to add govulncheck to the CI: https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.

I have used both Synk and govulncheck and (as @sixcolors stated) Synk does throw some false positives as their vuln database scans the go.mod file and looks for deps with vulns. govulncheck checks if a vulnerable code path is actually being invoked.

[efectn]

An alternative would be to add govulncheck to the CI: https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.

I have used both Synk and govulncheck and (as @sixcolors stated) Synk does throw some false positives as their vuln database scans the go.mod file and looks for deps with vulns. govulncheck checks if a vulnerable code path is actually being invoked.

Agree. Probably we'll use it. Thanks @ARolek & @sixcolors