Vulnerability in downstream library: gorilla/websocket #1091
Comments
|
Thanks for marking this issue! I've looked into this and it appears that but is not a indirect dependency for cobra itself: and therefore does not appear in our I believe we can close this issue and I'll go ahead and raise the issue with the viper repo! |
|
Perfecto! Thanks a ton @jpmcb . If you or others are into it I can send you a PR with |
|
Now that viper/etc... are updated, do you plan to update to the newest viper? I imagine we can do that on our end, but if cobra by default has it on a newer version, that's nice :) |
|
Sorry for the delay on this! We have been investigating using Dependabot to automatically update these dependencies. So hopefully in the future, we can catch these quickly! But for now, it looks like viper hasn't released the changes I made to the Gorilla dependency. And it appears that it remains an indirect dependency, unused by cobra. So I'm not sure if a In the mean time, a workaround for your upstream project may be to add this to your |
|
It might show I'm a bit green with the As well: https://github.com/sonatype-nexus-community/nancy I work on that project and it can be used in CI/CD to report on vulns in the libraries you are using. Automatically updating dependencies gives me a bit of panic (personally), because you have a pretty high trust level in what you consume, if you wanted to look at an alternative (mostly just to know if you have issues), Nancy might be worth looking at (it's how I found this upstream issue :) ) |
|
At the end of your So, for example, here's a simple test app generated with the cobra cli: package main
import "testing-app/cmd"
func main() {
cmd.Execute()
}here's the go.mod: and here's the resulting go.sum: So you can see that the gorilla package is replaced in the go sum file correctly with version 1.4.2. I would also advise caution doing this since you are effectively bumping a dependency that a downstream package depends on. You may end up with unexpected behavior. |
|
FTR, #1012 is an open PR to update viper, pflag and yaml.
@jpmcb, that'd be really nice! That's how I keep my fork of cobra up to date. |
* github.com/spf13/viper@v1.5.0 -> github.com/spf13/viper@v1.7.0 * replace directive to update the version as spf13/cobra doesn't have a release with the fix yet: spf13/cobra#1091
* github.com/spf13/viper@v1.5.0 -> github.com/spf13/viper@v1.7.0 * replace directive to update the version as spf13/cobra doesn't have a release with the fix yet: spf13/cobra#1091
|
This issue is being marked as stale due to a long period of inactivity |
|
This has been updated in #1012 and the dependency graph now shows: Thanks so much for raising the issue and letting the maintainers know about this security vulnerability! |
|
@jpmcb not a problem, glad to help! |
Hi there!
I work on the team that writes
nancy, and in a scan of a project where I usecobra, I discovered that your downstream dependency ongorilla/websocketis effected by: GHSA-jf24-p9p9-4rjhNot sure if this would make
cobravulnerable, but I figured I'd file an issue, as upgrading to1.4.1seems trivial and gets you out of the line of fire :)Cheers,
Jeffry
The text was updated successfully, but these errors were encountered: