Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update transitive markdown parser dependency #12

Merged
merged 2 commits into from
Jan 3, 2024
Merged

Update transitive markdown parser dependency #12

merged 2 commits into from
Jan 3, 2024

Conversation

NuVivo314
Copy link
Contributor

Hello,
We have a minor security alert on a package used by our runtime. Please find the link below:

CVE Link: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOMARKDOWNMARKDOWNPARSER-5916451

If you could provide me with more details about the security alert or ask any specific questions, I'll do my best to assist you.

Regards

@NuVivo314 NuVivo314 requested a review from a team as a code owner September 26, 2023 16:20
@jamietanna
Copy link
Member

Thanks for raising this, wanted to get back to you to confirm if it's a problem or not.

Using https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck it notes that:

Scanning your code and 340 packages across 57 dependent modules for known vulnerabilities...

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-2074
    Parser out-of-bounds read vulnerability caused by a malformed markdown input
  More info: https://pkg.go.dev/vuln/GO-2023-2074
  Module: github.com/gomarkdown/markdown
    Found in: github.com/gomarkdown/[email protected]
    Fixed in: github.com/gomarkdown/[email protected]

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.

So I believe it's not actually a problem - it's worth checking within your own project's usage of the API to see if this does affect you

@jamietanna jamietanna mentioned this pull request Oct 5, 2023
Open
@TimonOmsk
Copy link

Hello @jamietanna !
It might be not an issue from the runtime perspective, but it's an issue in case if you publish your software to some marketplace(redhat, aws, etc.). They perform scan and rejects a release in case if it contains vulns with known fixes

@jamietanna
Copy link
Member

Thanks for letting me know - in these cases is it not possible to flag it as a false positive?

I can try and look into getting dependency updates in next week, but in the meantime it may be worth investigating that as an option too 🤞

@denisvmedia
Copy link

in these cases is it not possible to flag it as a false positive?

It is possible. But this will require explanations for everyone who faces it first. Also, some companies are pretty strict on ignoring known vulnerabilities that have patches (regardless if they affect them directly or not).

@TimonOmsk TimonOmsk mentioned this pull request Dec 7, 2023
Closed
8 tasks
jamietanna
jamietanna approved these changes Jan 3, 2024
View reviewed changes
Copy link
Member

@jamietanna jamietanna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this - will get a release out today with this and a few other dependency bumps

@jamietanna jamietanna merged commit 5b79714 into oapi-codegen:main Jan 3, 2024
8 checks passed
@jamietanna jamietanna changed the title Update markdown package version. Update transitive markdown parser dependency Jan 3, 2024
@jamietanna
Copy link
Member

@denisvmedia @NuVivo314 thanks for your patience, this has now been released as https://github.com/oapi-codegen/runtime/releases/tag/v1.1.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamietanna jamietanna jamietanna approved these changes

Assignees
No one assigned
Labels
dependencies 🔐 security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@NuVivo314 @jamietanna @TimonOmsk @denisvmedia