Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Fix govulncheck vulnerabilities #56

Merged
merged 2 commits into from
Apr 4, 2024
Merged

chore: Fix govulncheck vulnerabilities #56

merged 2 commits into from
Apr 4, 2024

Conversation

ingve
Copy link
Contributor

@ingve ingve commented Apr 4, 2024

Fixes

Scanning your code and 318 packages across 56 dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.18.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http2.ConnectionError.Error
      #2: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http2.ErrCode.String
      #3: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
      #4: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http2.FrameType.String
      #5: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http2.GoAwayError.Error
      #6: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http2.Setting.String
      #7: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http2.SettingID.String
      #8: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http2.StreamError.Error
      #9: internal/encoder/csv.go:63:15: encoder.CsvEncoder.Open calls csv.Writer.Flush, which eventually calls http2.chunkWriter.Write
      #10: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http2.connError.Error
      #11: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http2.duplicatePseudoHeaderError.Error
      #12: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http2.gzipReader.Close
      #13: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http2.gzipReader.Read
      #14: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http2.headerFieldNameError.Error
      #15: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http2.headerFieldValueError.Error
      #16: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http2.pseudoHeaderError.Error
      #17: internal/encoder/csv.go:63:15: encoder.CsvEncoder.Open calls csv.Writer.Flush, which eventually calls http2.stickyErrWriter.Write
      #18: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http2.transportResponseBody.Close
      #19: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http2.transportResponseBody.Read
      #20: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http2.writeData.String

  Standard library
    Found in: net/http@go1.22.1
    Fixed in: net/http@go1.22.2
    Example traces found:
      #1: internal/encoder/csv.go:63:15: encoder.CsvEncoder.Open calls csv.Writer.Flush, which eventually calls http.CanonicalHeaderKey
      #2: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http.Client.Do
      #3: internal/web/middlewares/auth0.go:71:24: middlewares.newCache calls http.Get
      #4: internal/conf/manager.go:150:17: conf.ConfigurationManager.loadUrl calls http.Header.Add
      #5: internal/encoder/csv.go:63:15: encoder.CsvEncoder.Open calls csv.Writer.Flush, which eventually calls http.Header.Del
      #6: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls azblob.storageError.Error, which eventually calls http.Header.Get
      #7: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls azblob.storageError.Error, which eventually calls http.Header.Set
      #8: internal/conf/manager.go:138:29: conf.ConfigurationManager.loadUrl calls http.NewRequest
      #9: internal/store/s3.go:436:45: store.S3Storage.CreateBucketIfNotExist calls s3.S3.ListBuckets, which eventually calls http.ReadRequest
      #10: internal/web/web.go:55:7: web.Register calls echo.Echo.GET, which eventually calls http.Request.FormValue
      #11: internal/web/web.go:55:7: web.Register calls echo.Echo.GET, which eventually calls http.Request.Referer
      #12: internal/web/web.go:55:7: web.Register calls echo.Echo.GET, which eventually calls http.Request.UserAgent
      #13: internal/store/s3.go:436:45: store.S3Storage.CreateBucketIfNotExist calls s3.S3.ListBuckets, which eventually calls http.Response.Write
      #14: internal/store/s3.go:436:45: store.S3Storage.CreateBucketIfNotExist calls s3.S3.ListBuckets, which eventually calls http.Transport.CloseIdleConnections
      #15: internal/store/s3.go:436:45: store.S3Storage.CreateBucketIfNotExist calls s3.S3.ListBuckets, which eventually calls http.Transport.RoundTrip
      #16: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http.body.Close
      #17: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.body.Read
      #18: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http.bodyEOFSignal.Close
      #19: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.bodyEOFSignal.Read
      #20: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which eventually calls http.bodyLocked.Read
      #21: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls multierr.multiError.Error, which eventually calls http.bufioFlushWriter.Write
      #22: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http.cancelTimerBody.Close
      #23: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.cancelTimerBody.Read
      #24: internal/encoder/csv.go:63:15: encoder.CsvEncoder.Open calls csv.Writer.Flush, which eventually calls http.checkConnErrorWriter.Write
      #25: internal/encoder/csv.go:63:15: encoder.CsvEncoder.Open calls csv.Writer.Flush, which eventually calls http.chunkWriter.Write
      #26: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which eventually calls http.connReader.Read
      #27: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http.expectContinueReader.Close
      #28: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.expectContinueReader.Read
      #29: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http.gzipReader.Close
      #30: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.gzipReader.Read
      #31: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http.http2ConnectionError.Error
      #32: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http.http2ErrCode.String
      #33: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http.http2FrameHeader.String
      #34: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http.http2FrameType.String
      #35: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http.http2FrameWriteRequest.String
      #36: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http.http2GoAwayError.Error
      #37: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http.http2Setting.String
      #38: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http.http2SettingID.String
      #39: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http.http2StreamError.Error
      #40: internal/encoder/csv.go:63:15: encoder.CsvEncoder.Open calls csv.Writer.Flush, which eventually calls http.http2chunkWriter.Write
      #41: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http.http2connError.Error
      #42: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http.http2duplicatePseudoHeaderError.Error
      #43: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http.http2gzipReader.Close
      #44: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.http2gzipReader.Read
      #45: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http.http2headerFieldNameError.Error
      #46: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http.http2headerFieldValueError.Error
      #47: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http.http2pseudoHeaderError.Error
      #48: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http.http2requestBody.Close
      #49: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.http2requestBody.Read
      #50: internal/store/localstorage.go:60:14: store.GetAllFiles calls fmt.Println, which eventually calls http.http2responseWriter.Write
      #51: internal/store/localstorage.go:60:14: store.GetAllFiles calls fmt.Println, which eventually calls http.http2responseWriter.WriteHeader
      #52: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls multierr.multiError.Error, which eventually calls http.http2responseWriter.WriteString
      #53: internal/encoder/csv.go:63:15: encoder.CsvEncoder.Open calls csv.Writer.Flush, which eventually calls http.http2stickyErrWriter.Write
      #54: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http.http2transportResponseBody.Close
      #55: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.http2transportResponseBody.Read
      #56: internal/encoder/parquet.go:344:26: encoder.ParquetDecoder.ParseLine calls fmt.Sprintf, which eventually calls http.http2writeData.String
      #57: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which eventually calls http.loggingConn.Read
      #58: internal/schema/parquet_to_athena.go:46:22: schema.parquetToAthenaBuilder.Build calls fmt.Fprintf, which calls http.loggingConn.Write
      #59: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which eventually calls http.maxBytesReader.Read
      #60: internal/encoder/flatFile.go:278:37: encoder.FlatFileDecoder.convertType calls time.LoadLocation, which eventually calls http.onceCloseListener.Close
      #61: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.persistConn.Read
      #62: internal/store/s3.go:436:45: store.S3Storage.CreateBucketIfNotExist calls s3.S3.ListBuckets, which eventually calls http.persistConnWriter.ReadFrom
      #63: internal/encoder/csv.go:63:15: encoder.CsvEncoder.Open calls csv.Writer.Flush, which eventually calls http.persistConnWriter.Write
      #64: internal/conf/manager.go:153:24: conf.ConfigurationManager.loadUrl calls httpclient.Client.Do, which calls http.readTrackingBody.Close
      #65: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.readTrackingBody.Read
      #66: internal/encoder/parquet.go:251:30: encoder.ParquetDecoder.Read calls io.ReadAll, which calls http.readWriteCloserBody.Read
      #67: internal/store/s3.go:436:45: store.S3Storage.CreateBucketIfNotExist calls s3.S3.ListBuckets, which eventually calls http.response.ReadFrom
      #68: internal/store/localstorage.go:60:14: store.GetAllFiles calls fmt.Println, which eventually calls http.response.Write
      #69: internal/store/localstorage.go:60:14: store.GetAllFiles calls fmt.Println, which eventually calls http.response.WriteHeader
      #70: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls multierr.multiError.Error, which eventually calls http.response.WriteString
      #71: internal/schema/parquet_to_athena.go:46:22: schema.parquetToAthenaBuilder.Build calls fmt.Fprintf, which eventually calls http.timeoutWriter.Write
      #72: internal/store/localstorage.go:60:14: store.GetAllFiles calls fmt.Println, which eventually calls http.timeoutWriter.WriteHeader
      #73: internal/encoder/parquet.go:278:16: encoder.ParquetDecoder.Read calls http.transportReadFromServerError.Error

Your code is affected by 1 vulnerability from the Go standard library.

@ingve ingve requested a review from rompetroll April 4, 2024 08:19
@rompetroll rompetroll merged commit c8a5b77 into master Apr 4, 2024
2 checks passed
@rompetroll rompetroll deleted the chore/fix-govulncheck-vulns branch April 4, 2024 08:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rompetroll rompetroll rompetroll approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ingve @rompetroll