go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions #880
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thaJeztah
force-pushed
the
bump_ginkgo
branch
from
f3d5799 to
3aa277c
Compare
thaJeztah
changed the title
thaJeztah
changed the title
thaJeztah
force-pushed
the
bump_ginkgo
branch
from
0427fce to
6f1ec20
Compare
Codecov ReportBase: 73.89% // Head: 73.89% // No change to project coverage 👍
Additional details and impacted files@@ Coverage Diff @@
## master #880 +/- ##
=======================================
Coverage 73.89% 73.89%
=======================================
Files 51 51
Lines 3195 3195
=======================================
Hits 2361 2361
Misses 763 763
Partials 71 71 Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
thaJeztah
force-pushed
the
bump_ginkgo
branch
from
6f1ec20 to
6a90417
Compare
thaJeztah
commented
Oct 16, 2022
| @@ -11,8 +11,7 @@ jobs: | |||
| strategy: | |||
| matrix: | |||
| go_version: | |||
| - '1.17' | |||
| - '1.18' | |||
| - '1.18.7' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880 | |||
There was a problem hiding this comment.
This shouldn't be needed, but looks like the action installs 1.18.6 otherwise
|
Wow, and now it's installing go1.19.1 ??? Looks like if you don't specify a version, it picks a random 1.19.x version (perhaps caching??) |
The security scanner is flagging the code to have a vulnerability, but it's
detecting that we're running go1.18.6, not "latest" (go1.18.7 at time of writing).
Temporarily pinning to go1.18.7 to force installing the latest version:
Vulnerability securego#1: GO-2022-1039
Programs which compile regular expressions from untrusted
sources may be vulnerable to memory exhaustion or denial of
service. The parsed regexp representation is linear in the size
of the input, but in some cases the constant factor can be as
high as 40,000, making relatively small regexps consume much
larger amounts of memory. After fix, each regexp being parsed is
limited to a 256 MB memory footprint. Regular expressions whose
representation would use more space than that are rejected.
Normal use of regular expressions is unaffected.
Call stacks in your code:
Error: helpers.go:463:26: github.com/securego/gosec/v2.ExcludedDirsRegExp calls regexp.MustCompile, which eventually calls regexp/syntax.Parse
Found in: regexp/[email protected]
Fixed in: regexp/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-1039
Signed-off-by: Sebastiaan van Stijn <[email protected]>
CI was failing because of a mismatch:
/home/runner/go/bin/ginkgo -v --fail-fast
Ginkgo detected a version mismatch between the Ginkgo CLI and the version of Ginkgo imported by your packages:
Ginkgo CLI Version:
2.3.1
Mismatched package versions found:
2.2.0 used by gosec
Signed-off-by: Sebastiaan van Stijn <[email protected]>
to address GO-2022-1059
The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability securego#1: GO-2022-1059
An attacker may cause a denial of service by crafting an Accept-Language
header which ParseAcceptLanguage will take significant time to parse.
Found in: golang.org/x/text/[email protected]
Fixed in: golang.org/x/text/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-1059
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
bump_ginkgo
branch
from
6a90417 to
9b4c75d
Compare
|
@ccojocar ptal 👍 |
ccojocar
approved these changes
Oct 17, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
gha: remove go1.17, temporarily force go1.18.7
The security scanner is flagging the code to have a vulnerability, but it's
detecting that we're running go1.18.6, not "latest" (go1.18.7 at time of writing).
Temporarily pinning to go1.18.7 to force installing the latest version:
go.mod: github.com/onsi/ginkgo/v2 v2.3.1
CI was failing because of a mismatch:
go.mod: golang.org/x/text v0.3.8
to address GO-2022-1059: