#30 Update golang and libraries to resolve CVE #29
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Nathan Lacey <[email protected]>
nathanlaceyraft
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Following PR will resolve #30
datarhei/restreamer has CVE's because of core
CVE's in core found by doing
govulncheck ./...
=== Symbol Results ===
Vulnerability #1: GO-2025-3595
Incorrect Neutralization of Input During Web Page Generation in x/net in
golang.org/x/net
More info: https://pkg.go.dev/vuln/GO-2025-3595
Module: golang.org/x/net
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]
Vulnerability #2: GO-2025-3553
Excessive memory allocation during header parsing in
github.com/golang-jwt/jwt
More info: https://pkg.go.dev/vuln/GO-2025-3553
Module: github.com/golang-jwt/jwt
Found in: github.com/golang-jwt/[email protected]+incompatible
Fixed in: N/A
Example traces found:
#1: http/middleware/session/HLS.go:20:2: session.init calls middleware.init, which calls jwt.init
Module: github.com/golang-jwt/jwt/v4
Found in: github.com/golang-jwt/jwt/[email protected]
Fixed in: github.com/golang-jwt/jwt/[email protected]
Example traces found:
#1: http/server.go:402:20: http.server.ServeHTTP calls echo.Echo.ServeHTTP, which eventually calls jwt.Parser.ParseUnverified
Module: github.com/golang-jwt/jwt/v5
Found in: github.com/golang-jwt/jwt/[email protected]
Fixed in: github.com/golang-jwt/jwt/[email protected]
Example traces found:
#1: http/jwt/validator.go:114:36: jwt.auth0Validator.Validate calls jwt.Parser.ParseUnverified
Vulnerability #3: GO-2024-3250
Improper error handling in ParseWithClaims and bad documentation may cause
dangerous situations in github.com/golang-jwt/jwt
More info: https://pkg.go.dev/vuln/GO-2024-3250
Module: github.com/golang-jwt/jwt/v4
Found in: github.com/golang-jwt/jwt/[email protected]
Fixed in: github.com/golang-jwt/jwt/[email protected]
Example traces found:
#1: http/server.go:402:20: http.server.ServeHTTP calls echo.Echo.ServeHTTP, which eventually calls jwt.ParseWithClaims
Vulnerability #4: GO-2024-2920
Denial of service vulnerability via the parseDirectives function in
github.com/vektah/gqlparser
More info: https://pkg.go.dev/vuln/GO-2024-2920
Module: github.com/vektah/gqlparser/v2
Found in: github.com/vektah/gqlparser/[email protected]
Fixed in: github.com/vektah/gqlparser/[email protected]
Example traces found:
#1: http/handler/api/graph.go:46:26: api.GraphHandler.Query calls handler.Server.ServeHTTP, which eventually calls parser.ParseQuery
#2: http/graph/graph/graph.go:1832:44: graph.init calls gqlparser.MustLoadSchema, which eventually calls parser.ParseSchemas
Steps to repoduce creating this PR
update to new golang 1.24.3 (if not already there)
go get github.com/golang-jwt/jwt/v4
go get github.com/vektah/gqlparser/v2
go get golang.org/x/net
go get github.com/labstack/echo-jwt
go get github.com/golang-jwt/jwt/v5
go get github.com/labstack/echo/v4
//resolves the github.com/golang-jwt/[email protected] reference
Because of breaking changes in echo/v4, I had to make a fix to http/jwt/jwt.go
go mod tidy
go mod vendor
govulncheck ./...
should now show no CVE's
I also update the .github files and the Dockerfiles to update to newest golang version 1.24.3
Note the adding of @sha256:b4f875e650466fa0fe62c6fd3f02517a392123eea85f1d7e69d85f780e4db1c1 within the image definition.
If dockerhub ever received a supply chain attack, corrupting the base images, the hash would prevent you from releasing a images.
Once you build the docker image, you can recheck for CVE's using trivy
trivy image --scanners vuln --ignore-unfixed local:core
trivy will now show 0 CVE's
thanks for your consideration