Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go modules depencies:gopkg.in/square/go-jose.v2 vulnerabilities in api/go.mod #2953

Open
ssignik opened this issue Jun 28, 2024 · 0 comments
Open

go modules depencies:gopkg.in/square/go-jose.v2 vulnerabilities in api/go.mod #2953

ssignik opened this issue Jun 28, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@ssignik
Copy link

ssignik commented Jun 28, 2024

Issue description

When running a trivy scan on apisix-dashboard v3.0.1 it reported several CVEs on the dependencies.
And when I try to fix these cves, They will be resolved except gopkg.in/square/go-jose.v2(https://github.com/square/go-jose/tree/v2.6.0), and it seems would not upgrade. Is it possible to replace gopkg.in/square/go-jose.v2 by other module? or there may be other ways to resolve it?

api/go.mod (gomod)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                        Title                         │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │ MEDIUM   │ affected │ 2.6.0             │               │ jose-go: improper handling of highly compressed data │
│                            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-28180           │
└────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────┘

Expected behavior

fix this cve of gopkg.in/square/go-jose.v2-v2.6.0

How to Reproduce

  1. git clone -b v3.0.1 https://github.com/apache/apisix-dashboard.git
  2. cd apisix-dashboard
  3. trivy fs .

Screenshots

No response

Environment

  • apisix version (cmd: apisix version):
  • OS (cmd: uname -a):
  • OpenResty / Nginx version (cmd: nginx -V or openresty -V):
  • etcd version, if have (cmd: run etcd --version):
  • apisix-dashboard version, if have: 3.0.1
  • Browser version, if have:

Additional context

No response
@ssignik ssignik added the bug Something isn't working label Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ssignik