Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgraded go-jose library version to mitigate CVE-2024-28180 #132

Merged
merged 1 commit into from
Jul 25, 2024
Merged

upgraded go-jose library version to mitigate CVE-2024-28180 #132

merged 1 commit into from
Jul 25, 2024

Conversation

hmgowda
Copy link
Contributor

@hmgowda hmgowda commented Jul 25, 2024

Github security scan (dependabot) and checkmarx has reported a CVE in this library that is introduced through gopkg.in/square/go-jose.v2 v2.5.1.

CVE information can be found here : GHSA-c5q2-7r4c-mv6g
The version of go-jose library need to updated. The patch containing the fix is gopkg.in/go-jose/[email protected]

@hmgowda hmgowda mentioned this pull request Jul 25, 2024
Closed
@shaj13 shaj13 self-requested a review July 25, 2024 17:51
shaj13
shaj13 requested changes Jul 25, 2024
View reviewed changes
Copy link
Owner

@shaj13 shaj13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hmgowda Could you please run the test locally and post the results here, CI/CD does not work on forked pull requests.

@hmgowda
Copy link
Contributor Author

hmgowda commented Jul 25, 2024

@shaj13 here are the test results for auth/strategies/jwt

/shaj13/go-guardian/v2/auth/strategies/jwt"}
=== RUN TestSetAudience
--- PASS: TestSetAudience (0.00s)
=== RUN TestSetIssuer
--- PASS: TestSetIssuer (0.00s)

=== RUN TestSetExpDuration
--- PASS: TestSetExpDuration (0.00s)
=== RUN TestStaticSecretGet
=== RUN TestStaticSecretGet/StaticSecretGet_always_return_same_secret
--- PASS: TestStaticSecretGet/StaticSecretGet_always_return_same_secret (0.00s)
=== RUN TestStaticSecretGet/StaticSecretGet_return_error_when_kid_invalid
--- PASS: TestStaticSecretGet/StaticSecretGet_return_error_when_kid_invalid (0.00s)
--- PASS: TestStaticSecretGet (0.00s)
=== RUN TestToken
--- PASS: TestToken (0.00s)
=== RUN TestTokenAlg
--- PASS: TestTokenAlg (0.00s)
=== RUN TestTokenKID
--- PASS: TestTokenKID (0.00s)
=== RUN TestNewToken
--- PASS: TestNewToken (0.00s)
=== RUN Example
--- PASS: Example (0.00s)
=== RUN Example_scope
--- PASS: Example_scope (0.00s)

=== RUN ExampleSecretsKeeper
--- PASS: ExampleSecretsKeeper (0.15s)
PASS
ok github.com/shaj13/go-guardian/v2/auth/strategies/jwt (cached)

Process finished with the exit code 0

@shaj13 shaj13 merged commit c25c80f into shaj13:master Jul 25, 2024
@shaj13
Copy link
Owner

shaj13 commented Jul 25, 2024

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shaj13 shaj13 shaj13 requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hmgowda @shaj13