github-commenter icon indicating copy to clipboard operation
github-commenter copied to clipboard

Published 20 hours ago verified publisher icon cloudposse

Go Prisma Medium Severity Vulnerability

Open joroddy opened this issue 2 years ago • 1 comments

Describe the Bug

github commenter has high vulnerability associated with golang.org/x/crypto version v0.0.0-20190308221718-c2843e01d9a2. Please see attachment. github commenter vulnerability

joroddy avatar Aug 30 '22 16:08 joroddy

@joroddy thanks for checking this and opening the issue.

Looks like golang.org/x/crypto version v0.0.0-20190308221718-c2843e01d9a2 is the latest version of the lib (as shown below, downloaded by go mod tidy. We will keep an eye on this and update once a new version is released.

go 1.19

require (
	github.com/Masterminds/sprig v2.22.0+incompatible
	github.com/google/go-github/v34 v34.0.0
	github.com/pkg/errors v0.9.1
	golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b
)

require (
	github.com/Masterminds/goutils v1.1.1 // indirect
	github.com/Masterminds/semver v1.5.0 // indirect
	github.com/google/go-querystring v1.0.0 // indirect
	github.com/google/uuid v1.3.0 // indirect
	github.com/huandu/xstrings v1.3.2 // indirect
	github.com/imdario/mergo v0.3.13 // indirect
	github.com/mitchellh/copystructure v1.2.0 // indirect
	github.com/mitchellh/reflectwalk v1.0.2 // indirect
	github.com/stretchr/testify v1.8.0 // indirect
	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 // indirect
	gopkg.in/yaml.v3 v3.0.1 // indirect
)

aknysh avatar Aug 30 '22 17:08 aknysh

Looks like golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 is indirect dependency of github.com/google/go-github/v34 . After upgrading to github.com/google/go-github/v47 , I reran go mod tidy , the crypto package is updated to latest.

Added https://github.com/cloudposse/github-commenter/pull/52 to fix the same

sukrit007wawa avatar Sep 10 '22 21:09 sukrit007wawa