chore: Update dependencies #480
Conversation
Signed-off-by: jooho <jlee@redhat.com>
oss-prow-bot
bot
requested review from
rafvasq,
ckadner,
tjohnson31415 and
njhill
rafvasq
changed the title
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ckadner, Jooho, spolti The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
1 similar comment
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ckadner, Jooho, spolti The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
New changes are detected. LGTM label has been removed. |
1 similar comment
|
New changes are detected. LGTM label has been removed. |
| @@ -518,12 +547,15 @@ github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP | |||
| github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= | |||
| github.com/pelletier/go-toml v1.9.4 h1:tjENF6MfZAg8e4ZmZTeWaWiT2vXtsoO6+iuOjFhECwM= | |||
| github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= | |||
| github.com/pelletier/go-toml/v2 v2.0.0-beta.8 h1:dy81yyLYJDwMTifq24Oi/IslOslRrDSb3jwDggjz3Z0= | |||
| github.com/pelletier/go-toml/v2 v2.0.0-beta.8/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo= | |||
| github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= | |||
| github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | |||
| github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | |||
| github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= | |||
| github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | |||
| github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= | |||
There was a problem hiding this comment.
@Jooho @spolti -- I still see sftp v1.10.1 here. Coming in via github.com/spf13/afero@v1.6.0 from github.com/tommy351/goldga@v0.5.0 which has no more recent version available, but is only used for testing.
go mod graph | grep "sftp"
github.com/spf13/afero@v1.8.2 github.com/pkg/sftp@v1.13.1
github.com/pkg/sftp@v1.13.1 github.com/kr/fs@v0.1.0
github.com/pkg/sftp@v1.13.1 github.com/pkg/errors@v0.9.1
github.com/pkg/sftp@v1.13.1 github.com/stretchr/testify@v1.7.0
github.com/pkg/sftp@v1.13.1 golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b
github.com/pkg/sftp@v1.13.1 golang.org/x/sys@v0.0.0-20210423185535-09eb48e85fd7
github.com/spf13/afero@v1.6.0 github.com/pkg/sftp@v1.10.1
github.com/pkg/sftp@v1.10.1 github.com/kr/fs@v0.1.0
github.com/pkg/sftp@v1.10.1 github.com/pkg/errors@v0.8.1
github.com/pkg/sftp@v1.10.1 github.com/stretchr/testify@v1.4.0
github.com/pkg/sftp@v1.10.1 golang.org/x/crypto@v0.0.0-20190820162420-60c769a6c586go mod graph | grep "spf13/afero@v1.6.0"
github.com/tommy351/goldga@v0.5.0 github.com/spf13/afero@v1.6.0
github.com/spf13/afero@v1.6.0 github.com/pkg/sftp@v1.10.1
github.com/spf13/afero@v1.6.0 golang.org/x/crypto@v0.0.0-20190820162420-60c769a6c586
github.com/spf13/afero@v1.6.0 golang.org/x/text@v0.3.3Does that still get flagged in your Snyk scans?
There was a problem hiding this comment.
I guess, when another dependency uses it, there will be a reference in the go.mod as well, thus multiple versions being showed in there (correct me if I am wrong).
Does that still get flagged in your Snyk scans?
yes.
Motivation
Address github.com/pkg/sftp Denial of Service (DoS)
https://app.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPKGSFTP-569475
Modifications
Result