High CVE on golang.org/x/net

Question

High CVE on golang.org/x/net

Closed this issue a year ago · 4 comments

Our security scans are detecting a high CVE in the tftools binary: https://nvd.nist.gov/vuln/detail/CVE-2022-41721

This is caused by an indirect dependency on golang.org/x/net v0.0.0-20221002022538-bcab6841153b.

The go mod graph command shows that the dependency comes from bluemonday through glamour:

github.com/charmbracelet/glamour@v0.6.0 github.com/microcosm-cc/bluemonday@v1.0.21
github.com/microcosm-cc/bluemonday@v1.0.21 golang.org/x/net@v0.0.0-20221002022538-bcab6841153b

Answer 1 · 2024-01-19T08:22:19.000Z

Hey @sodul thanks for reporting this vulnerability. Running gosec in local:

https://securego.io/docs/rules/g107.html

Just as you say, you are right. I will make the corresponding fix and in any case when it is correct I will upload a new tag.

I'm also going to review the pipeline to be able to implement gosec (or another tool). Let it be executed periodically.

Thank you!

Answer 2 · 2024-01-19T18:43:36.000Z

Sorry I had misunderstood the error, ignore the message from before. I just checked the error in the go.mod.

I will update the dependency and upload a new tag!

Answer 3 · 2024-01-19T18:53:04.000Z

Pushed new tag with dependencies updated:

https://github.com/containerscrew/tftools/releases/tag/v0.6.2

Answer 4 · 2024-01-19T23:06:34.000Z

Thanks that seems to solve the issue:

> go install github.com/containerscrew/tftools@v0.6.2
> go version -m ~/go/bin/tftools | grep x/net
	dep	golang.org/x/net	v0.20.0	h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=