Skip to content
This repository has been archived by the owner on Mar 14, 2024. It is now read-only.

chore: update dependencies due to CVE-2023-1732 #29

Merged
merged 2 commits into from
Jul 20, 2023
Merged

chore: update dependencies due to CVE-2023-1732 #29

merged 2 commits into from
Jul 20, 2023

Conversation

carslen
Copy link
Contributor

@carslen carslen commented Jul 7, 2023

Previous used dep github.com/cloudflare/circl had a security issue (CVE-2023-1732). Updated the go dependencies to get new version.

Fixes CVE-2023-1732

Pre-review checks

Please ensure to do as many of the following checks as possible, before asking for committer review:

  • DEPENDENCIES are up to date. Dash license tool. Committers can open IP issues for restricted libs.
  • Copyright and license header are present on all affected files

@carslen
deps: update dependencies due to CVE-2023-1732
ab7fe2b 
Previous used dep github.com/cloudflare/circl had a security issue (CVE-2023-1732). Updated the go dependencies to get new version.
@carslen carslen changed the title deps: update dependencies due to CVE-2023-1732 chore: update dependencies due to CVE-2023-1732 Jul 7, 2023
FaGru3n
FaGru3n approved these changes Jul 7, 2023
View reviewed changes
Copy link
Contributor

@FaGru3n FaGru3n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@SebastianBezold
Copy link
Contributor

There are restricted dependencies included, we need to make sure, that we let them be approved, before creating a release version with it, or wait, until we can update the DEPENDENCIES here in the PR

@carslen
Copy link
Contributor Author

carslen commented Jul 7, 2023

There are restricted dependencies included, we need to make sure, that we let them be approved, before creating a release version with it, or wait, until we can update the DEPENDENCIES here in the PR

It's a trade-off between fixing a high scurity finding in a dependency and matching the EF rules. The IP-Check for the last 2 restricted dependencies has been opened (there were even more yesterday, but automatically approved by Dash bot), but needs manual IP team assistance.

@SebastianBezold
Copy link
Contributor

There are restricted dependencies included, we need to make sure, that we let them be approved, before creating a release version with it, or wait, until we can update the DEPENDENCIES here in the PR

It's a trade-off between fixing a high scurity finding in a dependency and matching the EF rules. The IP-Check for the last 2 restricted dependencies has been opened (there were even more yesterday, but automatically approved by Dash bot), but needs manual IP team assistance.

Yes I also think it will always be a trade-off. i think to evaluate the criticality, we would also need to know, where (and if) we are using this dependency actively. Meaning, if the vulnerability can be exploited. Do we know how this is used in our quality checks?

@carslen
chore: update DEPENDENCIES after IP check
355ad01 
EF IP-Team approved all previously as restricted marked versions. Update go.mod and go.sum to latest
@carslen carslen requested a review from FaGru3n July 11, 2023 18:32
@carslen
Copy link
Contributor Author

carslen commented Jul 11, 2023

Updated DEPENDENCIES file, no more restricted entries available @SebastianBezold

@carslen carslen merged commit baf11ae into main Jul 20, 2023
@carslen carslen deleted the deps/CVE-2023-1732 branch July 20, 2023 08:30
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@SebastianBezold SebastianBezold SebastianBezold approved these changes

@tomaszbarwicki tomaszbarwicki Awaiting requested review from tomaszbarwicki

@almadigabor almadigabor Awaiting requested review from almadigabor

@hzierer hzierer Awaiting requested review from hzierer

@FaGru3n FaGru3n Awaiting requested review from FaGru3n

Assignees
No one assigned
Labels
chore patch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@carslen @SebastianBezold @FaGru3n