sig-storage-local-static-provisioner
sig-storage-local-static-provisioner copied to clipboard
Published
20 hours ago •
kubernetes-sigs
kubernetes-sigs
fix CVE-2022-1996
What happened:
need to fix CVE-2022-1996 which requires github.com/emicklei/go-restful v3.8.0, it changes to v3.8.0, then there is go mod tidy error
┌────────────────────────────────┬───────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼───────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.16.0+incompatible │ v3.8.0 │ go-restful: Authorization Bypass Through User-Controlled Key │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1996 │
└────────────────────────────────┴────
# go get -u github.com/emicklei/go-restful/v3
# git diff
diff --git a/go.mod b/go.mod
index ee927bb7..faaf6723 100644
--- a/go.mod
+++ b/go.mod
@@ -32,7 +32,7 @@ require (
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/docker/distribution v2.7.1+incompatible // indirect
- github.com/emicklei/go-restful v2.16.0+incompatible // indirect
+ github.com/emicklei/go-restful v3.8.0+incompatible // indirect
github.com/evanphx/json-patch v4.12.0+incompatible // indirect
github.com/felixge/httpsnoop v1.0.1 // indirect
github.com/fsnotify/fsnotify v1.4.9 // indirect
~/go/src/github.com/kubernetes-sigs/sig-storage-local-static-provisioner# go mod tidy
go: downloading github.com/emicklei/go-restful v3.8.0+incompatible
sigs.k8s.io/sig-storage-local-static-provisioner/pkg/common imports
k8s.io/client-go/rest tested by
k8s.io/client-go/rest.test imports
github.com/stretchr/testify/assert: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/pkg/controller imports
k8s.io/apiserver/pkg/server/healthz imports
k8s.io/apiserver/pkg/endpoints/metrics imports
github.com/emicklei/go-restful: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/cmd/local-volume-provisioner imports
k8s.io/api/core/v1 imports
k8s.io/apimachinery/pkg/runtime tested by
k8s.io/apimachinery/pkg/runtime.test imports
github.com/stretchr/testify/require: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/cmd/utils/update-helm-values-pre-v2.2.0/pkg/chartutil imports
github.com/ghodss/yaml imports
gopkg.in/yaml.v2 tested by
gopkg.in/yaml.v2.test imports
gopkg.in/check.v1: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/pkg/discovery imports
sigs.k8s.io/sig-storage-lib-external-provisioner/v6/util imports
github.com/miekg/dns tested by
github.com/miekg/dns.test imports
golang.org/x/sync/errgroup: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/test/e2e imports
k8s.io/kubernetes/test/e2e/framework/pod imports
k8s.io/client-go/transport/spdy imports
k8s.io/apimachinery/pkg/util/httpstream/spdy tested by
k8s.io/apimachinery/pkg/util/httpstream/spdy.test imports
github.com/armon/go-socks5: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/test/e2e imports
k8s.io/kubernetes/test/e2e/framework/pod imports
k8s.io/client-go/transport/spdy imports
k8s.io/apimachinery/pkg/util/httpstream/spdy tested by
k8s.io/apimachinery/pkg/util/httpstream/spdy.test imports
github.com/elazarl/goproxy: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/test/e2e tested by
sigs.k8s.io/sig-storage-local-static-provisioner/test/e2e.test imports
k8s.io/kubernetes/test/e2e/storage/utils imports
github.com/aws/aws-sdk-go/service/ec2 imports
github.com/aws/aws-sdk-go/aws/awsutil imports
github.com/jmespath/go-jmespath tested by
github.com/jmespath/go-jmespath.test imports
github.com/jmespath/go-jmespath/internal/testify/assert: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/test/e2e imports
k8s.io/kubernetes/test/e2e/framework imports
k8s.io/kubernetes/test/utils imports
k8s.io/apiserver/pkg/admission/plugin/webhook/mutating imports
k8s.io/apiserver/pkg/util/webhook imports
k8s.io/apiserver/pkg/server/egressselector imports
k8s.io/utils/path tested by
k8s.io/utils/path.test imports
github.com/spf13/afero: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/test/e2e imports
k8s.io/kubernetes/test/e2e/framework imports
k8s.io/kubernetes/test/utils imports
k8s.io/apiserver/pkg/admission/plugin/webhook/mutating imports
k8s.io/apiserver/pkg/util/webhook imports
k8s.io/apiserver/pkg/server/egressselector imports
sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client tested by
sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client.test imports
go.uber.org/goleak: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/test/e2e imports
k8s.io/kubernetes/test/e2e/framework imports
k8s.io/kubernetes/test/utils imports
k8s.io/apiserver/pkg/admission/plugin/webhook/mutating imports
k8s.io/apiserver/pkg/util/webhook imports
k8s.io/component-base/traces imports
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp tested by
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.test imports
go.opentelemetry.io/otel/oteltest: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/test/e2e imports
k8s.io/kubernetes/test/e2e/framework imports
k8s.io/kubernetes/test/utils imports
k8s.io/apiserver/pkg/admission/plugin/webhook/mutating imports
k8s.io/apiserver/pkg/util/webhook imports
k8s.io/component-base/traces imports
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp imports
go.opentelemetry.io/otel tested by
go.opentelemetry.io/otel.test imports
github.com/stretchr/testify/suite: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
sigs.k8s.io/sig-storage-local-static-provisioner/test/e2e imports
k8s.io/kubernetes/test/e2e/framework imports
k8s.io/kubernetes/test/utils imports
k8s.io/apiserver/pkg/admission/plugin/webhook/mutating imports
k8s.io/apiserver/pkg/util/webhook imports
k8s.io/component-base/traces imports
go.opentelemetry.io/otel/exporters/otlp imports
go.opentelemetry.io/otel/sdk/metric/controller/basic tested by
go.opentelemetry.io/otel/sdk/metric/controller/basic.test imports
go.opentelemetry.io/otel/sdk/metric/controller/controllertest imports
github.com/benbjohnson/clock: github.com/emicklei/[email protected]+incompatible: go.mod has post-v3 module path "github.com/emicklei/go-restful/v3" at revision v3.8.0
What you expected to happen:
How to reproduce it:
Anything else we need to know?:
Environment:
- CSI Driver version:
- Kubernetes version (use
kubectl version): - OS (e.g. from /etc/os-release):
- Kernel (e.g.
uname -a): - Install tools:
- Others:
