Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Upgrade to go 1.21 to avoid Vulnerabilities in the go standard library. ``` govulncheck ./... Scanning your code and 359 packages across 56 dependent modules for known vulnerabilities... Vulnerability in-toto#1: GO-2023-2102 HTTP/2 rapid reset can cause excessive work in net/http More info: https://pkg.go.dev/vuln/GO-2023-2102 Standard library Found in: net/http@go1.20.1 Fixed in: net/http@go1.21.3 Example traces found: in-toto#1: internal/objectstorage/filestore/file.go:36:34: filestore.New calls http.ListenAndServe in-toto#2: cmd/archivista/main.go:144:23: archivista.main calls http.Serve Vulnerability in-toto#2: GO-2023-2043 Improper handling of special tags within script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2043 Standard library Found in: html/template@go1.20.1 Fixed in: html/template@go1.21.1 Example traces found: in-toto#1: cmd/archivista/main.go:144:23: archivista.main calls http.Serve, which eventually calls template.Template.Execute Vulnerability in-toto#3: GO-2023-2041 Improper handling of HTML-like comments in script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2041 Standard library Found in: html/template@go1.20.1 Fixed in: html/template@go1.21.1 Example traces found: in-toto#1: cmd/archivista/main.go:144:23: archivista.main calls http.Serve, which eventually calls template.Template.Execute Vulnerability in-toto#4: GO-2023-1987 Large RSA keys can cause high CPU usage in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1987 Standard library Found in: crypto/tls@go1.20.1 Fixed in: crypto/tls@go1.21rc4 Example traces found: in-toto#1: ent/tx.go:226:19: ent.txDriver.Exec calls sql.Conn.Exec, which eventually calls tls.Conn.Handshake in-toto#2: cmd/archivista/main.go:144:23: archivista.main calls http.Serve, which eventually calls tls.Conn.HandshakeContext in-toto#3: internal/server/server.go:136:22: server.Server.GetHandler calls io.Copy, which eventually calls tls.Conn.Read in-toto#4: /Users/naveen/go/pkg/mod/entgo.io/contrib@v0.4.5/entgql/pagination.go:66:16: entgql.OrderDirection.MarshalGQL calls io.WriteString, which calls tls.Conn.Write in-toto#5: internal/objectstorage/blobstore/minio.go:62:31: blobstore.New calls minio.Client.BucketExists, which eventually calls tls.Dialer.DialContext Vulnerability in-toto#5: GO-2023-1878 Insufficient sanitization of Host header in net/http More info: https://pkg.go.dev/vuln/GO-2023-1878 Standard library Found in: net/http@go1.20.1 Fixed in: net/http@go1.20.6 Example traces found: in-toto#1: internal/objectstorage/blobstore/minio.go:62:31: blobstore.New calls minio.Client.BucketExists, which eventually calls http.Client.Do in-toto#2: internal/objectstorage/blobstore/minio.go:62:31: blobstore.New calls minio.Client.BucketExists, which eventually calls http.Transport.CloseIdleConnections in-toto#3: internal/objectstorage/blobstore/minio.go:62:31: blobstore.New calls minio.Client.BucketExists, which eventually calls http.Transport.RoundTrip Vulnerability in-toto#6: GO-2023-1840 Unsafe behavior in setuid/setgid binaries in runtime More info: https://pkg.go.dev/vuln/GO-2023-1840 Standard library Found in: runtime@go1.20.1 Fixed in: runtime@go1.20.5 Example traces found: in-toto#1: internal/objectstorage/filestore/file.go:36:14: filestore.New calls log.Fatalln, which eventually calls runtime.Caller in-toto#2: internal/server/server.go:138:16: server.Server.GetHandler calls http.response.WriteHeader, which eventually calls runtime.Callers in-toto#3: internal/server/server.go:138:16: server.Server.GetHandler calls http.response.WriteHeader, which eventually calls runtime.CallersFrames in-toto#4: internal/server/server.go:138:16: server.Server.GetHandler calls http.response.WriteHeader, which eventually calls runtime.Frames.Next in-toto#5: ent/gql_node.go:472:11: ent.tables.Load calls sync.Once.Do, which eventually calls runtime.Func.Name in-toto#6: ent/gql_node.go:472:11: ent.tables.Load calls sync.Once.Do, which eventually calls runtime.FuncForPC in-toto#7: ent/gql_collection.go:941:46: ent.unmarshalArgs calls graphql.UnmarshalInputFromContext, which eventually calls runtime.GC in-toto#8: internal/server/server.go:96:26: server.Server.StoreHandler calls json.Encoder.Encode, which eventually calls runtime.GOMAXPROCS in-toto#9: internal/metadatastorage/sqlstore/client.go:76:34: sqlstore.NewEntClient calls mysql.ParseDSN, which eventually calls runtime.GOROOT in-toto#10: internal/objectstorage/filestore/file.go:51:21: filestore.Store.Store calls os.WriteFile, which eventually calls runtime.KeepAlive in-toto#11: internal/server/server.go:135:2: server.Server.GetHandler calls os.File.Close, which eventually calls runtime.SetFinalizer in-toto#12: ent/gql_node.go:472:11: ent.tables.Load calls sync.Once.Do, which eventually calls runtime.Stack in-toto#13: internal/server/server.go:91:26: server.Server.StoreHandler calls runtime.TypeAssertionError.Error in-toto#14: ent/gql_node.go:472:11: ent.tables.Load calls sync.Once.Do, which eventually calls runtime.Version in-toto#15: internal/metadatastorage/sqlstore/client.go:20:2: sqlstore.init calls time.init, which eventually calls runtime.efaceOf in-toto#16: internal/server/server.go:91:26: server.Server.StoreHandler calls runtime.errorAddressString.Error in-toto#17: internal/server/server.go:91:26: server.Server.StoreHandler calls runtime.errorString.Error in-toto#18: internal/metadatastorage/sqlstore/client.go:20:2: sqlstore.init calls time.init, which eventually calls runtime.findfunc in-toto#19: internal/metadatastorage/sqlstore/client.go:20:2: sqlstore.init calls time.init, which eventually calls runtime.float64frombits in-toto#20: internal/metadatastorage/sqlstore/client.go:20:2: sqlstore.init calls time.init, which eventually calls runtime.forcegchelper in-toto#21: internal/metadatastorage/sqlstore/client.go:20:2: sqlstore.init calls time.init, which eventually calls runtime.funcMaxSPDelta in-toto#22: internal/metadatastorage/sqlstore/client.go:20:2: sqlstore.init calls time.init, which eventually calls runtime.lockInit in-toto#23: internal/server/server.go:91:26: server.Server.StoreHandler calls runtime.plainError.Error in-toto#24: internal/metadatastorage/sqlstore/client.go:20:2: sqlstore.init calls time.init, which eventually calls runtime.throw Vulnerability in-toto#7: GO-2023-1753 Improper handling of empty HTML attributes in html/template More info: https://pkg.go.dev/vuln/GO-2023-1753 Standard library Found in: html/template@go1.20.1 Fixed in: html/template@go1.20.4 Example traces found: in-toto#1: cmd/archivista/main.go:144:23: archivista.main calls http.Serve, which eventually calls template.Template.Execute Vulnerability in-toto#8: GO-2023-1752 Improper handling of JavaScript whitespace in html/template More info: https://pkg.go.dev/vuln/GO-2023-1752 Standard library Found in: html/template@go1.20.1 Fixed in: html/template@go1.20.4 Example traces found: in-toto#1: cmd/archivista/main.go:144:23: archivista.main calls http.Serve, which eventually calls template.Template.Execute Vulnerability in-toto#9: GO-2023-1751 Improper sanitization of CSS values in html/template More info: https://pkg.go.dev/vuln/GO-2023-1751 Standard library Found in: html/template@go1.20.1 Fixed in: html/template@go1.20.4 Example traces found: in-toto#1: cmd/archivista/main.go:144:23: archivista.main calls http.Serve, which eventually calls template.Template.Execute Vulnerability in-toto#10: GO-2023-1705 Excessive resource consumption in net/http, net/textproto and mime/multipart More info: https://pkg.go.dev/vuln/GO-2023-1705 Standard library Found in: net/textproto@go1.20.1 Fixed in: net/textproto@go1.20.3 Example traces found: in-toto#1: internal/server/server.go:56:28: server.Server.Store calls io.ReadAll, which eventually calls textproto.Reader.ReadMIMEHeader in-toto#2: cmd/archivista/main.go:144:23: archivista.main calls http.Serve, which eventually calls multipart.Reader.ReadForm Vulnerability in-toto#11: GO-2023-1704 Excessive memory allocation in net/http and net/textproto More info: https://pkg.go.dev/vuln/GO-2023-1704 Standard library Found in: net/textproto@go1.20.1 Fixed in: net/textproto@go1.20.3 Example traces found: in-toto#1: internal/server/server.go:56:28: server.Server.Store calls io.ReadAll, which eventually calls textproto.Reader.ReadMIMEHeader Vulnerability in-toto#12: GO-2023-1703 Backticks not treated as string delimiters in html/template More info: https://pkg.go.dev/vuln/GO-2023-1703 Standard library Found in: html/template@go1.20.1 Fixed in: html/template@go1.20.3 Example traces found: in-toto#1: cmd/archivista/main.go:144:23: archivista.main calls http.Serve, which eventually calls template.Template.Execute Vulnerability in-toto#13: GO-2023-1702 Infinite loop in parsing in go/scanner More info: https://pkg.go.dev/vuln/GO-2023-1702 Standard library Found in: go/scanner@go1.20.1 Fixed in: go/scanner@go1.20.3 Example traces found: in-toto#1: ent/schema/dsse.go:18:2: schema.init calls entgql.init, which eventually calls scanner.Scanner.Scan Vulnerability in-toto#14: GO-2023-1621 Incorrect calculation on P256 curves in crypto/internal/nistec More info: https://pkg.go.dev/vuln/GO-2023-1621 Standard library Found in: crypto/internal/nistec@go1.20.1 Fixed in: crypto/internal/nistec@go1.20.2 Example traces found: in-toto#1: internal/server/server.go:136:22: server.Server.GetHandler calls io.Copy, which eventually calls nistec.P256OrdInverse in-toto#2: internal/server/server.go:136:22: server.Server.GetHandler calls io.Copy, which eventually calls nistec.P256Point.ScalarBaseMult in-toto#3: internal/server/server.go:136:22: server.Server.GetHandler calls io.Copy, which eventually calls nistec.P256Point.ScalarMult Your code is affected by 14 vulnerabilities from the Go standard library. ``` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
- Loading branch information