You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880)
* gha: remove go1.17, temporarily force 1.18.7, 1.19.2
The security scanner is flagging the code to have a vulnerability, but it's
detecting that we're running go1.18.6, not "latest" (go1.18.7 at time of writing).
Temporarily pinning to go1.18.7 to force installing the latest version:
Vulnerability #1: GO-2022-1039
Programs which compile regular expressions from untrusted
sources may be vulnerable to memory exhaustion or denial of
service. The parsed regexp representation is linear in the size
of the input, but in some cases the constant factor can be as
high as 40,000, making relatively small regexps consume much
larger amounts of memory. After fix, each regexp being parsed is
limited to a 256 MB memory footprint. Regular expressions whose
representation would use more space than that are rejected.
Normal use of regular expressions is unaffected.
Call stacks in your code:
Error: helpers.go:463:26: github.com/securego/gosec/v2.ExcludedDirsRegExp calls regexp.MustCompile, which eventually calls regexp/syntax.Parse
Found in: regexp/[email protected]
Fixed in: regexp/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-1039
Signed-off-by: Sebastiaan van Stijn <[email protected]>
* go.mod: github.com/onsi/ginkgo/v2 v2.3.1
CI was failing because of a mismatch:
/home/runner/go/bin/ginkgo -v --fail-fast
Ginkgo detected a version mismatch between the Ginkgo CLI and the version of Ginkgo imported by your packages:
Ginkgo CLI Version:
2.3.1
Mismatched package versions found:
2.2.0 used by gosec
Signed-off-by: Sebastiaan van Stijn <[email protected]>
* go.mod: golang.org/x/text v0.3.8
to address GO-2022-1059
The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability #1: GO-2022-1059
An attacker may cause a denial of service by crafting an Accept-Language
header which ParseAcceptLanguage will take significant time to parse.
Found in: golang.org/x/text/[email protected]
Fixed in: golang.org/x/text/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-1059
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Copy file name to clipboardExpand all lines: .github/workflows/ci.yml
+3-4Lines changed: 3 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -11,9 +11,8 @@ jobs:
11
11
strategy:
12
12
matrix:
13
13
go_version:
14
-
- '1.17'
15
-
- '1.18'
16
-
- '1.19'
14
+
- '1.18.7'# TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
15
+
- '1.19.2'# TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
17
16
runs-on: ubuntu-latest
18
17
env:
19
18
GO111MODULE: on
@@ -45,7 +44,7 @@ jobs:
45
44
- name: Setup go
46
45
uses: actions/setup-go@v3
47
46
with:
48
-
go-version: '1.19'
47
+
go-version: '1.19.2'# TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
0 commit comments