Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: address snyk vulnerabilities #2579

Merged
merged 25 commits into from
Oct 26, 2022
Merged
Show file tree
Hide file tree
Changes from 22 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
e7439bc
remove vulnerabilities
Vikas26021999 Oct 17, 2022
7cc3983
remove vulnerabilities
Vikas26021999 Oct 17, 2022
f3fa6c0
remove vul
Vikas26021999 Oct 17, 2022
06e212c
remove vul
Vikas26021999 Oct 17, 2022
a81ef22
Merge branch 'master' into fix.snyk_vul_rudder_server
Vikas26021999 Oct 17, 2022
bb102b2
Merge branch 'master' of github.com:rudderlabs/rudder-server into fix…
lvrach Oct 18, 2022
56a8894
chore: additonal updates and replace
lvrach Oct 26, 2022
1d0d421
chore: remove older version buger/jsonparser
lvrach Oct 26, 2022
245256d
chore: latest prometheus client and containerd
lvrach Oct 26, 2022
2bb5536
chore: use latest dktest
lvrach Oct 26, 2022
a0f1d0e
chore: upgrade viper
lvrach Oct 26, 2022
d4f7496
exp: remove unnecessary replace
lvrach Oct 26, 2022
568c073
chore: rm replace upgrade deps
lvrach Oct 26, 2022
485cb01
chore: replace github.com/aws/aws-sdk-go
lvrach Oct 26, 2022
d085d7d
chore: remove unnecessary replace
lvrach Oct 26, 2022
bf98dd9
Merge branch 'master' of github.com:rudderlabs/rudder-server into fix…
lvrach Oct 26, 2022
6b3527b
chore: use parquet-go-source that doesn't introduce vulnerability
lvrach Oct 26, 2022
4b5f1e4
chore: remove unnecessary replace
lvrach Oct 26, 2022
fb5edd8
chore: go mod tidy
lvrach Oct 26, 2022
e6511a3
chore: upgrade foxcpp/go-mockdns
lvrach Oct 26, 2022
c597bf4
Apply suggestions from code review
lvrach Oct 26, 2022
d41f899
chore: add more comments
lvrach Oct 26, 2022
e487b00
Merge branch 'master' into fix.snyk_vul_rudder_server
lvrach Oct 26, 2022
9bad9cc
fix: pubsub requires valid pem key
lvrach Oct 26, 2022
04e007f
Merge branch 'fix.snyk_vul_rudder_server' of github.com:rudderlabs/ru…
lvrach Oct 26, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions cmd/devtool/commands/webhook.go
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
package commands

import (
"encoding/json"
"fmt"
"io"
"log"
"net/http"
"strconv"
"time"

"github.com/buger/jsonparser"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

buger/jsonparser was conflicting with migrate library, it was preventing the upgrade of migrate library.

Since we could easily use json.Unmarshal to parse it I've removed it as a dependency.

"github.com/urfave/cli/v2"
)

Expand Down Expand Up @@ -67,12 +67,17 @@ type webhook struct {
Verbose bool
}

type payload struct {
SentAt string
}

func (*webhook) computeTime(b []byte) {
v, err := jsonparser.GetString(b, "sentAt")
p := payload{}
err := json.Unmarshal(b, &p)
if err != nil {
return
}
sentAt, err := time.Parse(time.RFC3339, v)
sentAt, err := time.Parse(time.RFC3339, p.SentAt)
if err != nil {
log.Println(err)
return
Expand Down
85 changes: 48 additions & 37 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,22 @@ module github.com/rudderlabs/rudder-server

go 1.18

replace (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be useful to add a comment here to remind us that at some point, once we upgrade the relevant libraries, these replacements can become outdated and should be removed?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, eventually, we should do that, and we also need to keep the replacement versions up to date.

I am not fun of replace solution, and I tried to use it as little as possible. I am considering ways we can avoid it or make it easier to maintain.

// FIXME: this is a hacky way to address vulnerabilities in indirect dependencies
// We should frequently review this section to remove or update the replace directives
github.com/aws/aws-sdk-go => github.com/aws/aws-sdk-go v1.44.123 // xitongsys/parquet-go-source uses a vulnerable version
github.com/dhui/dktest => github.com/dhui/dktest v0.3.13 // many dependencies require this for testing
github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.13.0 // many dependencies a vulnerable version of this package
golang.org/x/crypto => golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2 // many dependencies a vulnerable version of this package
golang.org/x/net => golang.org/x/net v0.0.0-20221004154528-8021a29435af // many dependencies a vulnerable version of this package
golang.org/x/text => golang.org/x/text v0.3.8 // many dependencies a vulnerable version of this package
gopkg.in/yaml.v2 => gopkg.in/yaml.v2 v2.4.0 // github.com/spf13/viper uses a vulnerable version
gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1 // github.com/spf13/viper uses a vulnerable version
)

require (
cloud.google.com/go/bigquery v1.42.0
cloud.google.com/go/pubsub v1.3.1
cloud.google.com/go/pubsub v1.19.0
cloud.google.com/go/storage v1.24.0
github.com/Azure/azure-storage-blob-go v0.14.0
github.com/ClickHouse/clickhouse-go v1.5.1
Expand All @@ -13,14 +26,13 @@ require (
github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
github.com/allisson/go-pglock/v2 v2.0.1
github.com/araddon/dateparse v0.0.0-20190622164848-0fb0a474d195
github.com/aws/aws-sdk-go v1.44.110
github.com/aws/aws-sdk-go v1.44.123
github.com/bugsnag/bugsnag-go/v2 v2.1.2
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cenkalti/backoff/v4 v4.1.3
github.com/denisenkom/go-mssqldb v0.10.0
github.com/denisenkom/go-mssqldb v0.12.0
github.com/dgraph-io/badger/v2 v2.2007.4
github.com/foxcpp/go-mockdns v1.0.0
github.com/fsnotify/fsnotify v1.5.1
github.com/fsnotify/fsnotify v1.5.4
github.com/go-redis/redis v6.15.7+incompatible
github.com/gofrs/uuid v4.2.0+incompatible
github.com/golang-migrate/migrate/v4 v4.15.2
Expand Down Expand Up @@ -48,14 +60,14 @@ require (
github.com/snowflakedb/gosnowflake v1.6.13
github.com/sony/gobreaker v0.5.0
github.com/spaolacci/murmur3 v1.1.0
github.com/spf13/cast v1.3.1 // indirect
github.com/spf13/viper v1.8.0
github.com/stretchr/testify v1.8.0
github.com/spf13/cast v1.5.0 // indirect
github.com/spf13/viper v1.13.0
github.com/stretchr/testify v1.8.1
github.com/thoas/go-funk v0.9.1
github.com/tidwall/gjson v1.14.3
github.com/tidwall/sjson v1.2.5
github.com/viney-shih/go-lock v1.1.2
github.com/xitongsys/parquet-go v1.6.1-0.20210531003158-8ed615220b7d
github.com/xitongsys/parquet-go v1.6.2
github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
github.com/zenizh/go-capturer v0.0.0-20211219060012-52ea6c8fed04
go.etcd.io/etcd/api/v3 v3.5.5
Expand All @@ -77,30 +89,27 @@ require (
cloud.google.com/go v0.103.0 // indirect
cloud.google.com/go/compute v1.8.0 // indirect
cloud.google.com/go/iam v0.3.0 // indirect
cloud.google.com/go/kms v1.4.0 // indirect
github.com/Azure/azure-pipeline-go v0.2.3 // indirect
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
github.com/EagleChen/mapmutex v0.0.0-20180418073615-e1a5ae258d8d // indirect
github.com/alexeyco/simpletable v1.0.0
github.com/apache/arrow/go/arrow v0.0.0-20211112161151-bc219186db40 // indirect
github.com/apache/thrift v0.13.1-0.20201008052519-daf620915714 // indirect
github.com/aws/aws-sdk-go-v2 v1.11.0 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.0.0 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.6.1 // indirect
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.7.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.5.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.5.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.9.0 // indirect
github.com/aws/aws-sdk-go-v2/service/s3 v1.19.0 // indirect
github.com/aws/smithy-go v1.9.0 // indirect
github.com/buger/jsonparser v1.1.1
github.com/apache/thrift v0.14.2 // indirect
github.com/aws/aws-sdk-go-v2 v1.16.2 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.1 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.3 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.3 // indirect
github.com/aws/aws-sdk-go-v2/service/s3 v1.26.3 // indirect
github.com/aws/smithy-go v1.11.2 // indirect
github.com/bugsnag/panicwrap v1.3.4 // indirect
github.com/cespare/xxhash v1.1.0 // indirect
github.com/cloudflare/golz4 v0.0.0-20150217214814-ef862a3cdc58 // indirect
github.com/containerd/containerd v1.6.8 // indirect
github.com/containerd/continuity v0.3.0 // indirect
github.com/coreos/go-semver v0.3.0 // indirect
github.com/coreos/go-systemd/v22 v22.3.2 // indirect
Expand All @@ -109,7 +118,7 @@ require (
github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de // indirect
github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
github.com/docker/cli v20.10.14+incompatible // indirect
github.com/docker/docker v20.10.13+incompatible // indirect
github.com/docker/docker v20.10.21+incompatible // indirect
github.com/docker/go-connections v0.4.0 // indirect
github.com/docker/go-units v0.4.0 // indirect
github.com/dustin/go-humanize v1.0.0 // indirect
Expand All @@ -118,7 +127,6 @@ require (
github.com/garyburd/redigo v1.6.0 // indirect
github.com/go-ini/ini v1.63.2 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/snappy v0.0.4 // indirect
Expand All @@ -128,33 +136,32 @@ require (
github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
github.com/googleapis/gax-go/v2 v2.5.1 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.1 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/imdario/mergo v0.3.12 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
github.com/klauspost/compress v1.15.9 // indirect
github.com/klauspost/cpuid/v2 v2.1.0 // indirect
github.com/kr/pretty v0.3.0 // indirect
github.com/linkedin/goavro v2.1.0+incompatible
github.com/magiconair/properties v1.8.5 // indirect
github.com/magiconair/properties v1.8.6 // indirect
github.com/mattn/go-ieproxy v0.0.1 // indirect
github.com/mattn/go-runewidth v0.0.12 // indirect
github.com/miekg/dns v1.1.25 // indirect
github.com/minio/md5-simd v1.1.2 // indirect
github.com/minio/sha256-simd v1.0.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/mapstructure v1.5.0
github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
github.com/opencontainers/runc v1.1.4 // indirect
github.com/ory/dockertest/v3 v3.9.1
github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
github.com/pelletier/go-toml v1.9.3 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pierrec/lz4 v2.6.1+incompatible // indirect
github.com/pierrec/lz4/v4 v4.1.15 // indirect
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
Expand All @@ -167,19 +174,19 @@ require (
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/segmentio/backo-go v0.0.0-20160424052352-204274ad699c // indirect
github.com/sirupsen/logrus v1.9.0 // indirect
github.com/spf13/afero v1.6.0 // indirect
github.com/spf13/afero v1.9.2 // indirect
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/subosito/gotenv v1.2.0 // indirect
github.com/subosito/gotenv v1.4.1 // indirect
github.com/tidwall/match v1.1.1 // indirect
github.com/tidwall/pretty v1.2.0 // indirect
github.com/urfave/cli/v2 v2.17.1
github.com/urfave/cli/v2 v2.20.3
github.com/xdg/scram v1.0.5 // indirect
github.com/xdg/stringprep v1.0.3 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
github.com/xitongsys/parquet-go-source v0.0.0-20200817004010-026bad9b25d0 // indirect
github.com/xitongsys/parquet-go-source v0.0.0-20220803203939-583c0659c569 // indirect
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.5.5 // indirect
go.opencensus.io v0.23.0 // indirect
Expand All @@ -192,13 +199,17 @@ require (
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f
gopkg.in/ini.v1 v1.66.6 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/linkedin/goavro.v1 v1.0.5 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

require (
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.3 // indirect
github.com/foxcpp/go-mockdns v1.0.1-0.20220408113050-3599dc5d2c7d
github.com/golang-sql/sqlexp v0.0.0-20170517235910-f1bb20e5a188 // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
github.com/pelletier/go-toml/v2 v2.0.5 // indirect
)
Loading