-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade github.com/snowflakedb/gosnowflake to the newer version #569
Comments
Thanks for the report. It looks like this is the vulnerability you were referring to |
Thanks for the commit to fix it |
Just a follow up on this. I realized that gosnowflakeDB still has a dependency to this vulnerable jwt-go. They remove the direct dependency but later on they added another dependency which brings it back..
|
Haha! 🤦 Thanks for re-reporting! I've reopened the issue and will keep it open until the upstream dependencies are fixed. |
just FYI, my team decided to use "replace" to get rid of the vulnerable code in jwt-go. It was too much for us to track the dependencies all the way down to 4 repos. But we can keep the issue open to track this vulnerability. |
The issue still exists:
I know it's only used for testing, but still... |
And more issues:
And more issues: [CVE-2020-8558] The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, ... -> github.com/golang-migrate/migrate/[email protected] --> github.com/dhui/[email protected] ---> github.com/containerd/[email protected] ----> github.com/containerd/[email protected] -----> github.com/containerd/[email protected] ------> github.com/Microsoft/[email protected] -------> github.com/containerd/[email protected] --------> github.com/containerd/[email protected] ----------> github.com/Microsoft/[email protected] ----------->k8s.io/[email protected] [CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox... -> github.com/golang-migrate/migrate/[email protected] --> github.com/dhui/[email protected] ---> github.com/containerd/[email protected] ----> github.com/containerd/[email protected] -----> github.com/spf13/[email protected] ------> github.com/spf13/[email protected] -------> github.com/coreos/[email protected]+incompatible |
Nancy again found Vulnerabilities: --> github.com/golang-migrate/migrate/[email protected] sonatype-2021-0853 --> github.com/golang-migrate/migrate/[email protected] [CVE-2022-29162] CWE-276: Incorrect Default Permissions --> github.com/golang-migrate/migrate/[email protected] [CVE-2022-21698] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') --> github.com/golang-migrate/migrate/[email protected] [CVE-2020-8558] CWE-287: Improper Authentication --> github.com/golang-migrate/migrate/[email protected] sonatype-2019-0702 --> github.com/golang-migrate/migrate/[email protected] |
Hello folks, Any update about the vulnerabilities? |
Describe the Bug
github.com/snowflakedb/[email protected] has a dependency on github.com/dgrijalva/[email protected]+incompatible
this version of jwt-go has a vulnerability of:
And this will cause a security issue, newer version of gosnowflake remove this dependency
The text was updated successfully, but these errors were encountered: