golang.org/x/crypto dep should uptdae

Question

golang.org/x/crypto dep should uptdae

buffge opened this issue 5 years ago · 3 comments

Vulnerabilities

DepShield reports that this application's usage of golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2 results in the following vulnerability(s):

(CVSS 5.9) [CVE-2019-11840] Use of Insufficiently Random Values

Answer 1 · 2019-10-13T10:25:41.000Z

Thanks for this.

This package has golang.org/x/crypto v0.0.0-20190605123033 as a dependency, so I thought that it was a bit strange that this was being flagged.

But it looks like golang.org/x/crypto v0.0.0-20190605123033 has golang.org/x/net v0.0.0-20190404232315 a dependency, which in turn has golang.org/x/crypto v0.0.0-20190308221718 as dependency (see here). And that's the source of the warning.

So the fix for this is that the golang.org/x/net dep needs to be upgraded.

I'll keep this open until that happens.

But it looks like the vuln relates to the golang.org/x/crypto/salsa20 package only, which isn't used by argon2id, so this package isn't actually affected anyway.

Answer 2 · 2019-10-14T02:06:24.000Z

l use the sonatype-depshield app ,this issues is it prompt me.
You can try it. Thanks

Answer 3 · 2021-11-30T14:43:46.000Z

The current version of golang.org/x/crypto now uses a newer version of golang.org/x/net, and I've upgraded the go.mod accordingly so this can finally be closed 🍾