dependabot github.com/containerd/containerd voulnerability #639
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kuritka
requested review from
donovanmuller,
jkremser,
k0da,
somaritane and
ytsarev
as code owners
Dependabot on k8gb reports an error : GHSA-c2h3-6mxw-7mvq We do not use containerd in our terratests, this patch should fix the dependabot until the terratest is fixed; see terratest issue: gruntwork-io/terratest#1006 Signed-off-by: kuritka <[email protected]>
kuritka
force-pushed
the
containerd-voulnerability
branch
from
35fc20d to
cc1658b
Compare
ytsarev
approved these changes
Oct 5, 2021
kuritka
added a commit
that referenced
this pull request
Oct 5, 2021
Follow-up #639 Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 5, 2021
Follow-up #639 Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 5, 2021
follow-up #639 regarding [CVE-2020-26160](github.com/dgrijalva/jwt-go) *There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1* Waiting for newer `jwt-go`. Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 5, 2021
follow-up #639 As part of this PR I have promoted versions of all packages where possible. Regarding [CVE-2020-26160](github.com/dgrijalva/jwt-go) *There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1* Waiting for fix in `jwt-go`. Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 5, 2021
follow-up #639 As part of this PR I have promoted versions of all packages where possible. Regarding [CVE-2020-26160](github.com/dgrijalva/jwt-go) *There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1* The chain is github.com/gruntwork-io/terratest -> github.com/gruntwork-io/[email protected] -> k8s.io/[email protected] -> github.com/Azure/go-autorest/[email protected] -> github.com/Azure/go-autorest/autorest/[email protected] -> `jwt-go`. Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 5, 2021
follow-up #639 As part of this PR I have promoted versions of all packages where possible. Regarding [CVE-2020-26160](github.com/dgrijalva/jwt-go) *There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1* The chain is: ``` github.com/gruntwork-io/terratest -> github.com/gruntwork-io/[email protected] -> k8s.io/[email protected] -> github.com/Azure/go-autorest/[email protected] -> github.com/Azure/go-autorest/autorest/[email protected] -> `jwt-go`. ``` Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 5, 2021
follow-up #639 As part of this PR I have promoted versions of all packages where possible. Regarding [CVE-2020-26160](github.com/dgrijalva/jwt-go) *There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1* github.com/dgrijalva/jwt-go is no longer supported and jwt continues as new community project (https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md) Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 5, 2021
follow-up #639 As part of this PR I have promoted versions of all packages where possible. Regarding [CVE-2020-26160](github.com/dgrijalva/jwt-go) *There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1* github.com/dgrijalva/jwt-go is no longer supported and jwt continues as new community project (https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md) Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639 As part of this PR I have promoted versions of all packages where possible. Regarding [CVE-2020-26160](github.com/dgrijalva/jwt-go) *There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1* github.com/dgrijalva/jwt-go is no longer supported and jwt continues as new community project (https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md) Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639 As part of this PR I have promoted versions of all packages where possible. Regarding [CVE-2020-26160](github.com/dgrijalva/jwt-go) *There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1* github.com/dgrijalva/jwt-go is no longer supported and jwt continues as new community project (https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md) Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639, gruntwork-io/terratest#1006 During the time of disuse, the projects have already migrated to [golang-jwt/jwt](https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md), which is a continuation of [github.com/dgrijalva/jwt-go](github.com/dgrijalva/jwt-go). `github.com/gruntwork-io/[email protected]` uses the unsupported jwt-token in two paths: ``` github.com/gruntwork-io/[email protected]> k8s.io/[email protected] -> github.com/Azure/go-autorest/autorest/adal v0.8.2 -> ... github.com/dgrijalva/[email protected] ``` The `replace github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16` rule fixed it. (this path is on v0.32.17 but not much different from v0.37.12) ``` github.com/gruntwork-io/[email protected] -> github.com/google/[email protected] -> github.com/vdemeester/[email protected] -> k8s.io/legacy-cloud-providers -> k8s.io/apiserver -> go.etcd.io/[email protected] -> github.com/dgrijalva/[email protected] ``` The `replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` rule fixed it. `github.com/gruntwork-io/[email protected]` uses `github.com/google/[email protected]` which links unpatched old version of `github.com/containerd/containerd`. If I override go-containerregistry `github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` then it generates this: ``` github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ= github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU= github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= ``` But >= v1.4.1 are patched. These rules will fix it ``` replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.2 ``` `github.com/gorilla/websocket` is resolved with the two steps mentioned above The final solution looks like this and works well if the assumption that my tests are not dependent on older versions of containerd and azure is met. ```go replace ( // CVE-2020-26160 (GHSA-w73w-5m7g-f7qc) github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16 // CVE-2021-41103 (GHSA-c2h3-6mxw-7mvq) // CVE-2020-27813 (GHSA-3xh2-74w9-5vxm) // CVE-2020-26160 (GHSA-w73w-5m7g-f7qc) github.com/containerd/containerd => github.com/containerd/containerd v1.5.2 github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0 ) ``` Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639, gruntwork-io/terratest#1006 During the time of disuse, the projects have already migrated to [golang-jwt/jwt](https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md), which is a continuation of [github.com/dgrijalva/jwt-go](github.com/dgrijalva/jwt-go). `github.com/gruntwork-io/[email protected]` uses the unsupported jwt-token in two paths: ``` github.com/gruntwork-io/[email protected]> k8s.io/[email protected] -> github.com/Azure/go-autorest/autorest/adal v0.8.2 -> ... github.com/dgrijalva/[email protected] ``` The `replace github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16` rule fixed it. (this path is on v0.32.17 but not much different from v0.37.12) ``` github.com/gruntwork-io/[email protected] -> github.com/google/[email protected] -> github.com/vdemeester/[email protected] -> k8s.io/legacy-cloud-providers -> k8s.io/apiserver -> go.etcd.io/[email protected] -> github.com/dgrijalva/[email protected] ``` The `replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` rule fixed it. `github.com/gruntwork-io/[email protected]` uses `github.com/google/[email protected]` which links unpatched old version of `github.com/containerd/containerd`. If I override go-containerregistry `github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` then it generates this: ``` github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ= github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU= github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= ``` But >= v1.4.1 are patched. These rules will fix it ``` replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.2 ``` `github.com/gorilla/websocket` is resolved with the two steps mentioned above The problem is we replace packages on the go.sum level but no in go.mod. That's why jwt-go is still downloaded. We must exclude it. The final solution looks like this and works well if the assumption that my tests are not dependent on older versions of containerd and azure is met. ```go replace ( // CVE-2020-26160 (GHSA-w73w-5m7g-f7qc) github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16 // CVE-2021-41103 (GHSA-c2h3-6mxw-7mvq) // CVE-2020-27813 (GHSA-3xh2-74w9-5vxm) // CVE-2020-26160 (GHSA-w73w-5m7g-f7qc) github.com/containerd/containerd => github.com/containerd/containerd v1.5.2 github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0 ) exclude github.com/dgrijalva/jwt-go v3.2.0+incompatible ``` Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639, gruntwork-io/terratest#1006 During the time of disuse, the projects have already migrated to [golang-jwt/jwt](https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md), which is a continuation of [github.com/dgrijalva/jwt-go](github.com/dgrijalva/jwt-go). `github.com/gruntwork-io/[email protected]` uses the unsupported jwt-token in two paths: ``` github.com/gruntwork-io/[email protected]> k8s.io/[email protected] -> github.com/Azure/go-autorest/autorest/adal v0.8.2 -> ... github.com/dgrijalva/[email protected] ``` The `replace github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16` rule fixed it. (this path is on v0.32.17 but not much different from v0.37.12) ``` github.com/gruntwork-io/[email protected] -> github.com/google/[email protected] -> github.com/vdemeester/[email protected] -> k8s.io/legacy-cloud-providers -> k8s.io/apiserver -> go.etcd.io/[email protected] -> github.com/dgrijalva/[email protected] ``` The `replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` rule fixed it. `github.com/gruntwork-io/[email protected]` uses `github.com/google/[email protected]` which links unpatched old version of `github.com/containerd/containerd`. If I override go-containerregistry `github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` then it generates this: ``` github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ= github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU= github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= ``` But >= v1.4.1 are patched. These rules will fix it ``` replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.2 ``` `github.com/gorilla/websocket` is resolved with the two steps mentioned above The problem is we replace packages on the go.sum level but no in go.mod. That's why jwt-go is still downloaded. We must exclude it. The final solution looks like this and works well if the assumption that my tests are not dependent on older versions of containerd and azure is met. ```go replace ( // CVE-2020-26160 (GHSA-w73w-5m7g-f7qc) github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16 // CVE-2021-41103 (GHSA-c2h3-6mxw-7mvq) // CVE-2020-27813 (GHSA-3xh2-74w9-5vxm) // CVE-2020-26160 (GHSA-w73w-5m7g-f7qc) github.com/containerd/containerd => github.com/containerd/containerd v1.5.2 github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0 ) exclude github.com/dgrijalva/jwt-go v3.2.0+incompatible ``` Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639, gruntwork-io/terratest#1006 CVE-2021-41103 github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched CVE-2020-27813 github.com/gorilla/websocket >= 1.4.1 is patched CVE-2020-26160 github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1 Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages. In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files). The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side Signed off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639, gruntwork-io/terratest#1006 CVE-2021-41103 github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched CVE-2020-27813 github.com/gorilla/websocket >= 1.4.1 is patched CVE-2020-26160 github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1 Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages. In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files). The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639, gruntwork-io/terratest#1006 CVE-2021-41103 github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched CVE-2020-27813 github.com/gorilla/websocket >= 1.4.1 is patched CVE-2020-26160 github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1 Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages. In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files). The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639, gruntwork-io/terratest#1006 CVE-2021-41103 github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched CVE-2020-27813 github.com/gorilla/websocket >= 1.4.1 is patched CVE-2020-26160 github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1 Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages. In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files). The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639, gruntwork-io/terratest#1006 CVE-2021-41103 github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched CVE-2020-27813 github.com/gorilla/websocket >= 1.4.1 is patched CVE-2020-26160 github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1 Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages. In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files). The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side Signed-off-by: kuritka <[email protected]>
kuritka
added a commit
that referenced
this pull request
Oct 6, 2021
follow-up #639, gruntwork-io/terratest#1006 CVE-2021-41103 github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched CVE-2020-27813 github.com/gorilla/websocket >= 1.4.1 is patched CVE-2020-26160 github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1 Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages. In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files). The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side Signed-off-by: kuritka <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dependabot on k8gb reports an error : GHSA-c2h3-6mxw-7mvq
We are not affected by changing containerd version in our terratests, this patch should fix the dependabot until the terratest is fixed;
see terratest issue: gruntwork-io/terratest#1006