Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security scan shows vulnerabilities in dependencies #885

Closed
Polber opened this issue Oct 27, 2021 · 9 comments
Closed

Security scan shows vulnerabilities in dependencies #885

Polber opened this issue Oct 27, 2021 · 9 comments
Labels
dependencies Pull requests that update a dependency file stale

Comments

@Polber
Copy link

Polber commented Oct 27, 2021

The following dependencies show 1 or more severe security vulnerabilities:

  • github.com/gorilla/websocket:1.4.0
  • github.com/coreos/etcd:3.3.10+incompatible

These package versions should be removed or updated to the latest safe versions.
@fsouza fsouza added the dependencies Pull requests that update a dependency file label Oct 28, 2021
@stale
Copy link

stale bot commented Jan 7, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the stale label Jan 7, 2022
@fsouza
Copy link
Owner

fsouza commented Jan 7, 2022

This has been fixed.

@fsouza fsouza closed this as completed Jan 7, 2022
@linggao
Copy link

linggao commented Feb 25, 2022

@fsouza This issue has not been fixed yet. The go.sum file still show these 2 versions are referenced.

github.com/gorilla/websocket:1.4.0
github.com/coreos/etcd:3.3.10+incompatible

https://github.com/fsouza/go-dockerclient/blob/main/go.sum#L353
https://github.com/fsouza/go-dockerclient/blob/main/go.sum#L193

Could you please re-open this issue?

@fsouza
Copy link
Owner

fsouza commented Feb 25, 2022

@linggao can you check the output of your go mod graph to confirm that you're getting those modules in your binary?

@fsouza fsouza reopened this Feb 25, 2022
@stale stale bot removed the stale label Feb 25, 2022
@linggao
Copy link

linggao commented Feb 25, 2022

@fsouza Here is the list of dependencies from go mod graph. I think the problem is from the version of containerd that go-dockerclient depends.

github.com/open-horizon/anax github.com/fsouza/go-dockerclient@v1.7.9
github.com/fsouza/go-dockerclient@v1.7.9 github.com/containerd/containerd@v1.5.9
github.com/containerd/containerd@v1.5.9 github.com/containerd/continuity@v0.1.0
github.com/containerd/continuity@v0.1.0 github.com/spf13/cobra@v1.0.0
github.com/spf13/cobra@v1.0.0 github.com/spf13/viper@v1.4.0
github.com/spf13/viper@v1.4.0 github.com/coreos/etcd@v3.3.10+incompatible

github.com/open-horizon/anax github.com/fsouza/go-dockerclient@v1.7.9
github.com/fsouza/go-dockerclient@v1.7.9 github.com/containerd/containerd@v1.5.9
github.com/containerd/containerd@v1.5.9 github.com/containerd/continuity@v0.1.0
github.com/containerd/continuity@v0.1.0 github.com/spf13/cobra@v1.0.0
github.com/spf13/cobra@v1.0.0 github.com/spf13/viper@v1.4.0
github.com/spf13/viper@v1.4.0 github.com/gorilla/websocket@v1.4.0

@stale
Copy link

stale bot commented Apr 16, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the stale label Apr 16, 2022
@fsouza
Copy link
Owner

fsouza commented Apr 16, 2022

Keep it

@stale stale bot removed the stale label Apr 16, 2022
@stale
Copy link

stale bot commented Jun 12, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the stale label Jun 12, 2022
@fsouza fsouza removed the stale label Jun 15, 2022
@stale
Copy link

stale bot commented Jul 31, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the stale label Jul 31, 2022
@stale stale bot closed this as completed May 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fsouza @linggao @Polber