vitess icon indicating copy to clipboard operation
vitess copied to clipboard

Published 20 hours ago verified publisher icon vitessio

Question: Incorrect Sonatype version reference

Open jmdacruz opened this issue 9 months ago • 2 comments

Question

Sonatype index is using incorrect versions for recommended fixes (e.g., v18.0.5 instead of v0.18.5): https://ossindex.sonatype.org/vulnerability/CVE-2024-32886?component-type=golang&component-name=vitess.io%2Fvitess&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.41

This means that even when updating to v0.18.5 in a project's go.mod, tools such as nancy will still report the vulnerability. I've sent an email to the sonartype OSS index, pointing to this issue/question.

jmdacruz avatar May 09 '24 21:05 jmdacruz

Thank you for raising this. cc @systay @dbussink: The background to this is that go module versioning doesn't play nice with the way we do our SemVer. So whenever we do a release, we tag it with two versions e.g 18.0.5 and 0.18.5. This allows people to import vitess as a dependency in go.mod using 0.18.5 as the version.

deepthi avatar May 11 '24 14:05 deepthi

Fwiw, it looks like Dependabot does handle this correctly and does the correct version inference. I've seen it open correct PRs to update a Vitess dependency to resolve this issue. So not sure really what the expectation here is and if this is more something for Sonatype to handle, or if we need to change what we publish?

dbussink avatar May 11 '24 21:05 dbussink