Replace github.com/dgrijalva/jwt-go with github.com/golang-jwt/jwt

github.com/dgrijalva/jwt-go has CVE GHSA-w73w-5m7g-f7qc and is already archived. etcd v3.4 should use a community maintained fork github.com/golang-jwt/jwt which provides the fixed version of the CVE. Signed-off-by: Yusuke Suzuki <yusuke-suzuki@cybozu.co.jp>
etcd-io · Oct 1, 2021 · 4e22883 · 4e22883
1 parent 41061e5
commit 4e22883
Show file tree

Hide file tree

Showing 23 changed files with 269 additions and 79 deletions.
diff --git a/auth/jwt.go b/auth/jwt.go
@@ -21,7 +21,7 @@ import (
 	"errors"
 	"time"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 	"go.uber.org/zap"
 )
 

diff --git a/auth/options.go b/auth/options.go
@@ -21,7 +21,7 @@ import (
 	"io/ioutil"
 	"time"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 )
 
 const (

diff --git a/bill-of-materials.json b/bill-of-materials.json
@@ -45,29 +45,29 @@
 		]
 	},
 	{
-		"project": "github.com/dgrijalva/jwt-go",
+		"project": "github.com/dustin/go-humanize",
 		"licenses": [
 			{
 				"type": "MIT License",
-				"confidence": 0.9891304347826086
+				"confidence": 0.96875
 			}
 		]
 	},
 	{
-		"project": "github.com/dustin/go-humanize",
+		"project": "github.com/gogo/protobuf",
 		"licenses": [
 			{
-				"type": "MIT License",
-				"confidence": 0.96875
+				"type": "BSD 3-clause \"New\" or \"Revised\" License",
+				"confidence": 0.9163346613545816
 			}
 		]
 	},
 	{
-		"project": "github.com/gogo/protobuf",
+		"project": "github.com/golang-jwt/jwt",
 		"licenses": [
 			{
-				"type": "BSD 3-clause \"New\" or \"Revised\" License",
-				"confidence": 0.9163346613545816
+				"type": "MIT License",
+				"confidence": 0.9891304347826086
 			}
 		]
 	},

diff --git a/go.mod b/go.mod
@@ -9,10 +9,10 @@ require (
 	github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7
 	github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf
 	github.com/creack/pty v1.1.11
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4
 	github.com/fatih/color v1.7.0 // indirect
 	github.com/gogo/protobuf v1.2.1
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903
 	github.com/golang/protobuf v1.3.2
 	github.com/google/btree v1.0.0

diff --git a/go.sum b/go.sum
@@ -22,8 +22,6 @@ github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 h1:qk/FSDDxo05wdJH28W+p5yivv7LuLYLRXPPD8KQCtZs=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -37,6 +35,8 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/me
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903 h1:LbsanbbD6LieFkXbj9YNNBupiGHJgFeLpO0j0Fza1h8=
@@ -142,7 +142,6 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/
 go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -184,7 +183,6 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135 h1:5Beo0mZN8dRzgrMMkDp0jc8YXQKx9DiJ2k1dkvGsn5A=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=

diff --git a/vendor/github.com/dgrijalva/jwt-go/LICENSE → vendor/github.com/golang-jwt/jwt/LICENSE b/vendor/github.com/dgrijalva/jwt-go/LICENSE → vendor/github.com/golang-jwt/jwt/LICENSE
diff --git a/vendor/github.com/dgrijalva/jwt-go/claims.go → vendor/github.com/golang-jwt/jwt/claims.go b/vendor/github.com/dgrijalva/jwt-go/claims.go → vendor/github.com/golang-jwt/jwt/claims.go
diff --git a/vendor/github.com/dgrijalva/jwt-go/doc.go → vendor/github.com/golang-jwt/jwt/doc.go b/vendor/github.com/dgrijalva/jwt-go/doc.go → vendor/github.com/golang-jwt/jwt/doc.go
diff --git a/vendor/github.com/dgrijalva/jwt-go/ecdsa.go → vendor/github.com/golang-jwt/jwt/ecdsa.go b/vendor/github.com/dgrijalva/jwt-go/ecdsa.go → vendor/github.com/golang-jwt/jwt/ecdsa.go
diff --git a/...ithub.com/dgrijalva/jwt-go/ecdsa_utils.go → .../github.com/golang-jwt/jwt/ecdsa_utils.go b/...ithub.com/dgrijalva/jwt-go/ecdsa_utils.go → .../github.com/golang-jwt/jwt/ecdsa_utils.go
diff --git a/vendor/github.com/golang-jwt/jwt/ed25519.go b/vendor/github.com/golang-jwt/jwt/ed25519.go
diff --git a/vendor/github.com/golang-jwt/jwt/ed25519_utils.go b/vendor/github.com/golang-jwt/jwt/ed25519_utils.go
diff --git a/vendor/github.com/dgrijalva/jwt-go/errors.go → vendor/github.com/golang-jwt/jwt/errors.go b/vendor/github.com/dgrijalva/jwt-go/errors.go → vendor/github.com/golang-jwt/jwt/errors.go
diff --git a/vendor/github.com/dgrijalva/jwt-go/hmac.go → vendor/github.com/golang-jwt/jwt/hmac.go b/vendor/github.com/dgrijalva/jwt-go/hmac.go → vendor/github.com/golang-jwt/jwt/hmac.go
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,7 +21,7 @@ import ( @@
     	"io/ioutil"
     	"time"
-    	jwt "github.com/dgrijalva/jwt-go"
+    	"github.com/golang-jwt/jwt"
     )
     const (
@@ Expand Down @@