testcontainers-go
testcontainers-go copied to clipboard
testcontainers
chore: bump transitive dependencies
What does this PR do?
It bumps the following deps to their latest released versions:
- aws/aws-sdk-go
- miekg/dns
- hashicorp/consul/api
- hashicorp/consul/sdk
- k8s.io/kubernetes
We have run the following command to detect the vulnerabilities:
go list -json -m all | docker run --rm -i sonatypecommunity/nancy:v1.0.39 sleuth --skip-update-check
It has resolved 2 out of 5 security issues, but not sure how to resolve those 3 packages, as getting the :
pkg:golang/github.com/hashicorp/consul/[email protected]
1 known vulnerabilities affecting installed version
pkg:golang/github.com/hashicorp/consul/[email protected]
1 known vulnerabilities affecting installed version
pkg:golang/k8s.io/[email protected]
29 known vulnerabilities affecting installed version
3 Vulnerable Packages
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
┃ Audited Dependencies ┃ 416 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
┃ Vulnerable Dependencies ┃ 3 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛
Why is it important?
This PR resolves 2 security issues, but there are still 3.
I've observed myself everything what @mwittig commented in https://github.com/testcontainers/testcontainers-go/issues/326#issuecomment-881894569, so I'd say that we are stuck on containerd's vulnerabilities.
Related issues
- Related to #326
Codecov Report
Merging #527 (36d81ce) into main (7d0afb7) will decrease coverage by
0.03%. The diff coverage is28.57%.
:exclamation: Current head 36d81ce differs from pull request most recent head b94b442. Consider uploading reports for the commit b94b442 to get more accurate results
@@ Coverage Diff @@
## main #527 +/- ##
==========================================
- Coverage 68.88% 68.85% -0.04%
==========================================
Files 22 22
Lines 2144 2148 +4
==========================================
+ Hits 1477 1479 +2
- Misses 528 530 +2
Partials 139 139
| Impacted Files | Coverage Δ | |
|---|---|---|
| wait/sql.go | 23.07% <16.66%> (-1.93%) |
:arrow_down: |
| compose.go | 74.04% <100.00%> (ø) |
|
| docker.go | 71.03% <0.00%> (+0.20%) |
:arrow_up: |
:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
I resolved conflicts and got this report:
go list -json -m all | docker run --rm -i sonatypecommunity/nancy sleuth --skip-update-check
Unable to find image 'sonatypecommunity/nancy:latest' locally
latest: Pulling from sonatypecommunity/nancy
070ddc16dc55: Pull complete
c34c37bc9ec5: Pull complete
7222bb5c5949: Pull complete
Digest: sha256:35a17ac931605ea6311a3735f5b939952423f39dda2c828c0d72938851554749
Status: Downloaded newer image for sonatypecommunity/nancy:latest
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
pkg:golang/github.com/jinzhu/[email protected]
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2019-15562] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description ┃ ** DISPUTED ** GORM before 1.9.10 allows SQL injection via incomplete ┃
┃ ┃ parentheses. NOTE: Misusing Gorm by passing untrusted user input where Gorm ┃
┃ ┃ expects trusted SQL fragments is a vulnerability in the application, not in ┃
┃ ┃ Gorm. ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID ┃ CVE-2019-15562 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score ┃ 9.8/10 (Critical) ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector ┃ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2019-15562?component-type=golang&component-name=github.com%2Fjinzhu%2Fgorm&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.42 ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
pkg:golang/k8s.io/[email protected]
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ 1 vulnerability found ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description ┃ 1 non-CVE vulnerability found. To see more details, please create a free ┃
┃ ┃ account at https://ossindex.sonatype.org/ and request for this information ┃
┃ ┃ using your registered account ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID ┃ sonatype-2022-6522 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score ┃ 6.5/10 (Medium) ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector ┃ CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/sonatype-2022-6522 ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
2 Vulnerable Packages
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
┃ Audited Dependencies ┃ 394 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
┃ Vulnerable Dependencies ┃ 2 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛
I believe the gorm dependency issue will disappear with #650, as it's pushed back to the compose module.
OTOH, I ran go mod why for both:
➜ testcontainers-go (bump-transitive-deps-security-concerns) ✗ go mod why github.com/jinzhu/gorm
go: downloading github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73
go: downloading github.com/lib/pq v1.1.1
# github.com/jinzhu/gorm
github.com/testcontainers/testcontainers-go
github.com/docker/cli/cli/command
github.com/theupdateframework/notary/client
github.com/theupdateframework/notary/client.test
github.com/theupdateframework/notary/server/storage
github.com/jinzhu/gorm
➜ testcontainers-go (bump-transitive-deps-security-concerns) ✗ go mod why k8s.io/apiserver
# k8s.io/apiserver
(main module does not need package k8s.io/apiserver)
which confirms that the gorm dependency was introduced by compose native support. Regarding apiserver, it is not required by the main module, and not sure how it gets into the dependencies, as it's not present at any file, including go.sum.
@kishaningithub because the number of issues has being removed from 23 (as shown in the original #326 issue) to 2 (1 after #650), I'd merge this PR as is, considering done. Wdyt?
@mdelapenya Beautiful to see the vulnerabilities go from 23 to 2. Yes IMO this can be merged :-)