Fix terratest CVE-2021-41103, CVE-2020-27813, CVE-2020-26160 (#646)

follow-up #639, gruntwork-io/terratest#1006 CVE-2021-41103 github.com/containerd/containerd, only v1.4.11, v1.5.7 are patched CVE-2020-27813 github.com/gorilla/websocket >= 1.4.1 is patched CVE-2020-26160 github.com/dgrijalva/jwt-go, There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1 Terratest package is the top of a tree that uses many packages in different versions that are often not updated. After github issued an alert, it turns out that some packages deep inside are referencing long unsupported packages. In order to solve the problems with the alerts, I had to specify which versions of the packages to use and which ones should not be downloaded (excluded, their versions are in the go.mod files). The final solution works well if the assumption that our tests are not dependent on older versions of containerd or azure is met. I assume that in the future the problems will be solved on the terratest package side Signed-off-by: kuritka <[email protected]>
k8gb-io · Oct 6, 2021 · b1ab8fe · b1ab8fe
1 parent a1a17bc
commit b1ab8fe
Show file tree

Hide file tree

Showing 2 changed files with 696 additions and 300 deletions.
diff --git a/terratest/go.mod b/terratest/go.mod
@@ -4,12 +4,45 @@ go 1.16
 
 require (
 	github.com/AbsaOSS/gopkg v0.1.2
-	github.com/gruntwork-io/terratest v0.32.17
+	github.com/gruntwork-io/terratest v0.37.12
 	github.com/stretchr/testify v1.7.0
-	gopkg.in/yaml.v2 v2.2.8 // indirect
-	k8s.io/api v0.20.5
-	k8s.io/apimachinery v0.20.5
-	k8s.io/client-go v0.20.5 // indirect
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/api v0.20.6
+	k8s.io/apimachinery v0.20.6
 )
 
-replace github.com/containerd/containerd v1.3.0 => github.com/containerd/containerd v1.4.11
+// CVE-2021-41103 (https://github.com/advisories/GHSA-c2h3-6mxw-7mvq)
+// CVE-2020-27813 (https://github.com/advisories/GHSA-3xh2-74w9-5vxm)
+// CVE-2020-26160 (https://github.com/advisories/GHSA-w73w-5m7g-f7qc)
+require (
+	github.com/Azure/go-autorest/autorest/adal v0.9.16 // indirect
+	github.com/containerd/containerd v1.5.7 // indirect
+	github.com/google/go-containerregistry v0.6.0 // indirect
+	github.com/spf13/cobra v1.2.1 // indirect
+	go.etcd.io/etcd v3.3.26+incompatible // indirect
+)
+
+replace (
+	github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16
+	github.com/containerd/containerd => github.com/containerd/containerd v1.5.7
+	github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3 => github.com/google/go-containerregistry v0.6.0
+	github.com/spf13/cobra v1.0.0 => github.com/spf13/cobra v1.2.1
+	go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489 => go.etcd.io/etcd v3.3.26+incompatible
+)
+
+exclude  (
+	github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3
+	github.com/containerd/containerd v1.5.0-beta.1
+	github.com/containerd/containerd v1.5.0-beta.3
+	github.com/containerd/containerd v1.5.0-beta.4
+	github.com/containerd/containerd v1.5.0-rc.0
+	github.com/containerd/containerd v1.5.1
+	github.com/containerd/containerd v1.5.2
+	github.com/Azure/go-autorest/autorest/adal v0.9.5
+	github.com/Azure/go-autorest/autorest/adal v0.9.2
+	github.com/Azure/go-autorest/autorest/adal v0.9.0
+	github.com/Azure/go-autorest/autorest/adal v0.8.2
+	github.com/Azure/go-autorest/autorest/adal v0.5.0
+	github.com/spf13/cobra v1.0.0
+	go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489
+)