Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: upgrade indirect deps to address vulns and go version [IAC-2921] #38

Merged
merged 1 commit into from
Apr 4, 2024
Merged

fix: upgrade indirect deps to address vulns and go version [IAC-2921] #38

merged 1 commit into from
Apr 4, 2024

Conversation

andreeaneata
Copy link
Contributor

@andreeaneata andreeaneata commented Apr 4, 2024
edited
Loading

Upgrading indirirect deps address vulns:

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285
  Introduced through: github.com/snyk/cli-extension-iac-rules/iacrules@#c572cfce46ce
  From: github.com/snyk/cli-extension-iac-rules/iacrules@#c572cfce46ce > github.com/snyk/cli-extension-iac-rules/internal/test@#c572cfce46ce > github.com/snyk/policy-engine/pkg/rego/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/hashicorp/[email protected] > cloud.google.com/go/[email protected] > google.golang.org/api/transport/[email protected] > golang.org/x/net/[email protected]
  From: github.com/snyk/cli-extension-iac-rules/iacrules@#c572cfce46ce > github.com/snyk/cli-extension-iac-rules/internal/test@#c572cfce46ce > github.com/snyk/policy-engine/pkg/rego/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/hashicorp/[email protected] > google.golang.org/api/[email protected] > google.golang.org/[email protected] > google.golang.org/grpc/internal/[email protected] > golang.org/x/net/[email protected]
  Fixed in: 0.23.0

✗ High severity vulnerability found in google.golang.org/grpc
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328
  Introduced through: github.com/snyk/policy-engine/pkg/[email protected], github.com/snyk/policy-engine/pkg/[email protected], github.com/snyk/policy-engine/pkg/rego/[email protected], github.com/snyk/policy-engine/pkg/rego/[email protected], github.com/snyk/policy-engine/pkg/[email protected]
  From: github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/hashicorp/[email protected] > google.golang.org/api/[email protected] > google.golang.org/[email protected]
  From: github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/hashicorp/[email protected] > cloud.google.com/go/[email protected] > google.golang.org/[email protected]
  From: github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/hashicorp/[email protected] > google.golang.org/api/[email protected] > google.golang.org/[email protected]
  and 125 more...
  Fixed in: 1.56.3, 1.57.1, 1.58.3

✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6393703
  Introduced through: github.com/snyk/policy-engine/pkg/[email protected], github.com/snyk/policy-engine/pkg/[email protected], github.com/snyk/policy-engine/pkg/rego/[email protected], github.com/snyk/policy-engine/pkg/rego/[email protected], github.com/snyk/policy-engine/pkg/[email protected]
  From: github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/hashicorp/[email protected] > cloud.google.com/go/[email protected] > google.golang.org/api/storage/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  From: github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/hashicorp/[email protected] > cloud.google.com/go/[email protected] > google.golang.org/api/storage/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  From: github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/snyk/policy-engine/pkg/internal/terraform/[email protected] > github.com/hashicorp/[email protected] > cloud.google.com/go/[email protected] > google.golang.org/api/storage/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  and 29 more...
  Fixed in: 1.33.0

@andreeaneata andreeaneata requested a review from a team as a code owner April 4, 2024 08:31
@andreeaneata andreeaneata requested a review from robh-snyk April 4, 2024 08:31
@CLAassistant
Copy link

CLAassistant commented Apr 4, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@andreeaneata andreeaneata force-pushed the fix/IAC-2921/upgrade_http2_to_fix_vulns branch from d0bd61c to e8c3830 Compare April 4, 2024 08:33
@andreeaneata andreeaneata changed the title fix: upgrade http2 indirect deps to address vulns [IAC-2921] fix: upgrade http2 and grpc indirect deps to address vulns [IAC-2921] Apr 4, 2024
@andreeaneata andreeaneata force-pushed the fix/IAC-2921/upgrade_http2_to_fix_vulns branch from e8c3830 to 5e69b5c Compare April 4, 2024 08:36
@andreeaneata andreeaneata force-pushed the fix/IAC-2921/upgrade_http2_to_fix_vulns branch from 5e69b5c to 166ab7f Compare April 4, 2024 08:39
@andreeaneata andreeaneata changed the title fix: upgrade http2 and grpc indirect deps to address vulns [IAC-2921] fix: upgrade indirect deps to address vulns and go version [IAC-2921] Apr 4, 2024
@andreeaneata andreeaneata merged commit 0098857 into main Apr 4, 2024
4 checks passed
@andreeaneata andreeaneata deleted the fix/IAC-2921/upgrade_http2_to_fix_vulns branch April 4, 2024 08:41
@andreeaneata andreeaneata mentioned this pull request Apr 4, 2024
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robh-snyk robh-snyk robh-snyk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andreeaneata @CLAassistant @robh-snyk