Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace vulnerable satori/go.uuid with google/uuid #221

Merged
merged 2 commits into from
Aug 19, 2024
Merged

Replace vulnerable satori/go.uuid with google/uuid #221

merged 2 commits into from
Aug 19, 2024

Conversation

cromulus
Copy link
Contributor

It's essentially a drop-in replacement.

with google/uuid, uuid.New() produces a v4 uuid by default, so produces the same behavior.

this is the relevant CVE: https://pkg.go.dev/vuln/GO-2022-0244

@cromulus cromulus changed the title Replace vulnerable satori/go-uuid with google/uuid Replace vulnerable satori/go.uuid with google/uuid Aug 14, 2024
@cromulus cromulus mentioned this pull request Aug 14, 2024
Closed
This was referenced Aug 15, 2024
Draft
Closed
@melekes melekes mentioned this pull request Aug 19, 2024
Merged
4 tasks
melekes
melekes approved these changes Aug 19, 2024
View reviewed changes
Copy link
Contributor

@melekes melekes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @cromulus ❤️

@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 61.23%. Comparing base (b435f4d) to head (b3e58bb).
Report is 4 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #221      +/-   ##
==========================================
+ Coverage   61.00%   61.23%   +0.22%     
==========================================
  Files          18       20       +2     
  Lines        2072     1816     -256     
==========================================
- Hits         1264     1112     -152     
+ Misses        680      576     -104     
  Partials      128      128
Files Coverage Δ
pkg/loadtest/worker.go 60.96% <100.00%> (+2.13%) ⬆️

... and 18 files with indirect coverage changes

@melekes melekes merged commit 0144e0b into informalsystems:main Aug 19, 2024
4 checks passed
@melekes melekes mentioned this pull request Aug 19, 2024
Merged
melekes added a commit to cometbft/cometbft that referenced this pull request Aug 20, 2024
@melekes @AlexsandroRyan @alesforz
chore: Update dependencies to address CVEs (#3754)
d0bcdaa 
Author: [AlexsandroRyan](https://github.com/AlexsandroRyan)

This pull request addresses all CVEs reported by the Checkmarx tool
during its execution on this repository.

The previous discussion can be found here:
#3558.

I have updated all necessary dependencies to fix the identified CVEs,
but some vulnerabilities remain unresolved. I would appreciate any
assistance in addressing these remaining issues.

1. CVE-2021-3538: This issue is related to the github.com/satori/go.uuid
package, which is a dependency of
[tm-load-test](https://github.com/informalsystems/tm-load-test). We have
already submitted a PR to address this:
informalsystems/tm-load-test#221.

2. CVE-2024-24786: This vulnerability pertains to the
google.golang.org/protobuf package. Running go mod graph | grep
google.golang.org/protobuf reveals that many packages are using the
vulnerable version. It’s unclear if updating them individually is
feasible.

3. CVE-2024-34478: This vulnerability is associated with
github.com/btcsuite/btcd, a dependency of
github.com/btcsuite/btcd/btcutil, which is currently used at a version
lower than 0.24.0. We have also submitted a pull request for this:
btcsuite/btcd#2235.

Please let us know if this approach is sufficient or if there is a more
efficient way to resolve these issues.

<!--

Please add a reference to the issue that this PR addresses and indicate
which
files are most critical to review. If it fully addresses a particular
issue,
please include "Closes #XXX" (where "XXX" is the issue number).

If this PR is non-trivial/large/complex, please ensure that you have
either
created an issue that the team's had a chance to respond to, or had some
discussion with the team prior to submitting substantial pull requests.
The team
can be reached via GitHub Discussions or the Cosmos Network Discord
server in
the #cometbft channel. GitHub Discussions is preferred over Discord as
it
allows us to keep track of conversations topically.
https://github.com/cometbft/cometbft/discussions

If the work in this PR is not aligned with the team's current
priorities, please
be advised that it may take some time before it is merged - especially
if it has
not yet been discussed with the team.

See the project board for the team's current priorities:
https://github.com/orgs/cometbft/projects/1

-->

---

#### PR checklist

- [ ] ~Tests written/updated~
- [ ] ~Changelog entry added in `.changelog` (we use
[unclog](https://github.com/informalsystems/unclog) to manage our
changelog)~
- [ ] ~Updated relevant documentation (`docs/` or `spec/`) and code
comments~
- [ ] Title follows the [Conventional
Commits](https://www.conventionalcommits.org/en/v1.0.0/) spec

---------

Co-authored-by: Alexsandro <[email protected]>
Co-authored-by: Alessandro <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@melekes melekes melekes approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cromulus @codecov-commenter @melekes