Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resolve govulncheck CVE with golang update #2383

Merged
merged 1 commit into from
Feb 26, 2025
Merged

resolve govulncheck CVE with golang update #2383

merged 1 commit into from
Feb 26, 2025

Conversation

nathanlaceyraft
Copy link
Contributor

Install same version of go that is used by dockerfile. (1.22.2)

within d2 top folder run
govulncheck ./...

You'll see vulnerabilities like

Vulnerability #2: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3420
Standard library
Found in: net/http@go1.23.4
Fixed in: net/http@go1.23.5
Example traces found:
#1: lib/imgbundler/imgbundler.go:213:28: imgbundler.httpGet calls http.Client.Do
#2: lib/png/png.go:66:27: png.InitPlaywright calls playwright.Install, which eventually calls http.Get

Vulnerability #3: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-3373
Standard library
Found in: crypto/x509@go1.23.4
Fixed in: crypto/x509@go1.23.5
Example traces found:
#1: lib/urlenc/urlenc.go:45:22: urlenc.Decode calls io.Copy, which eventually calls x509.Certificate.Verify
#2: lib/urlenc/urlenc.go:45:22: urlenc.Decode calls io.Copy, which eventually calls x509.Certificate.VerifyHostname
#3: cmd/d2plugin-dagre/main.go:12:12: d2plugin.main calls xmain.Main, which eventually calls x509.HostnameError.Error
#4: lib/urlenc/urlenc.go:45:22: urlenc.Decode calls io.Copy, which eventually calls x509.ParseCertificate

alixander
alixander approved these changes Feb 26, 2025
View reviewed changes
Copy link
Collaborator

@alixander alixander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you

@alixander
Copy link
Collaborator

@nathanlaceyraft Could you sign your commit please? We have it as an org-wide setting.

@nathanlaceyraft nathanlaceyraft force-pushed the update-go-to-resolve-cve branch from bf6408b to 1c65742 Compare February 26, 2025 12:22
@nathanlaceyraft
Copy link
Contributor Author

Thanks for reminding me to set that up!

@alixander alixander merged commit 891e4bd into terrastruct:master Feb 26, 2025
3 checks passed
@nathanlaceyraft nathanlaceyraft deleted the update-go-to-resolve-cve branch February 26, 2025 16:00
@nathanlaceyraft nathanlaceyraft mentioned this pull request Feb 26, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alixander alixander alixander approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nathanlaceyraft @alixander