Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Upgrade crypto lib to fix cve #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kezhenxu94 merged 1 commit into from
Apr 22, 2022
Merged

Upgrade crypto lib to fix cve #148

kezhenxu94 merged 1 commit into from
Apr 22, 2022

Conversation

@kezhenxu94
Copy link
Member

@kezhenxu94 kezhenxu94 commented Apr 22, 2022

Also add .vscode to .gitignore

@kezhenxu94 kezhenxu94 added the chore Chores of the project label Apr 22, 2022
@kezhenxu94 kezhenxu94 added this to the 0.11.0 milestone Apr 22, 2022
@kezhenxu94 kezhenxu94 requested review from fgksgf and wu-sheng April 22, 2022 03:44
@kezhenxu94
Copy link
Member Author

kezhenxu94 commented Apr 22, 2022

FYI CVE

+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION           |                 TITLE                 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2022-27191   | HIGH     | v0.0.0-20201216223049-8b5274cf687f | 0.0.0-20220315160706-3147a52a75dd | golang: crash in a                    |
|                     |                  |          |                                    |                                   | golang.org/x/crypto/ssh server        |
|                     |                  |          |                                    |                                   | -->avd.aquasec.com/nvd/cve-2022-27191 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+

wu-sheng
wu-sheng reviewed Apr 22, 2022
View reviewed changes
go.mod
github.com/spf13/viper v1.7.0
github.com/urfave/cli/v2 v2.3.0
golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f // indirect
golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
Copy link
Member

@wu-sheng wu-sheng Apr 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This lib seems not existing in https://github.com/apache/skywalking-cli/blob/master/dist/LICENSE

Copy link
Member Author

@kezhenxu94 kezhenxu94 Apr 22, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the only missing case, we have lots of indirect dependencies (in go.sum) missing in the dist/LICENSE file and that needs an overhaul before next release.

@kezhenxu94 kezhenxu94 mentioned this pull request Apr 22, 2022
Closed
@kezhenxu94 kezhenxu94 merged commit d2c95c3 into master Apr 22, 2022
@kezhenxu94 kezhenxu94 deleted the cve-crypto branch April 22, 2022 03:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wu-sheng wu-sheng wu-sheng approved these changes

@fgksgf fgksgf Awaiting requested review from fgksgf

Assignees

No one assigned

Labels

chore Chores of the project

Projects

None yet

Milestone

0.11.0

Development

Successfully merging this pull request may close these issues.

2 participants

@kezhenxu94 @wu-sheng