英文:
Golang: what to do with google.golang.org/api obsolete dependencies on golang.org/x/net
问题
最近,github.com的Dependabot在我的项目中发现了一些存在漏洞的依赖项,这些漏洞可能导致DOS攻击,存在“破损或有风险的加密算法”,以及存在“无法控制的资源消耗”的错误。
具体来说,它警告我关于golang.org/x/net模块的CVE-2022-27664,以及其他一些模块的CVE-2022-27191和CVE-2022-32149。
我尝试运行了"go get -u"命令来更新所有使用的模块,但显然这并没有解决问题。然后我开始使用"go graph"查找模块依赖关系。这花了一些时间,下面是我找到的依赖序列:
google.golang.org/api@v0.114.0 =>
go.opencensus.io@v0.24.0 =>
google.golang.org/grpc@v1.33.2 =>
github.com/envoyproxy/go-control-plane@v0.9.4 =>
google.golang.org/genproto@v0.0.0-20190819201941-24fa4b261c55 =>
golang.org/x/tools@v0.0.0-20190226205152-f727befe758c =>
google.golang.org/appengine@v1.4.0 =>
golang.org/x/net@v0.0.0-20180724234803-3673e40ba225
这意味着最新和更新的google.golang.org/api包(来自2023年3月17日)依赖于2018年的golang.org/x/net。
我看到其他谷歌包中对旧net模块的许多依赖关系:
cloud.google.com/go/compute@v1.19.0 golang.org/x/net@v0.8.0
github.com/googleapis/gax-go/v2@v2.8.0 golang.org/x/net@v0.7.0
go.opencensus.io@v0.24.0 golang.org/x/net@v0.0.0-20201110031124-69a78807bb2b
golang.org/x/crypto@v0.7.0 golang.org/x/net@v0.8.0
golang.org/x/oauth2@v0.6.0 golang.org/x/net@v0.8.0
google.golang.org/api@v0.114.0 golang.org/x/net@v0.8.0
google.golang.org/appengine@v1.6.7 golang.org/x/net@v0.0.0-20190603091049-60506f45cf65
google.golang.org/genproto@v0.0.0-20230323212658-478b75c54725 golang.org/x/net@v0.8.0
google.golang.org/grpc@v1.54.0 golang.org/x/net@v0.8.0
golang.org/x/crypto@v0.6.0 golang.org/x/net@v0.6.0
google.golang.org/grpc@v1.33.2 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.1.12 golang.org/x/net@v0.0.0-20220722155237-a158d28d115b
golang.org/x/crypto@v0.0.0-20200622213623-75b288015ac9 golang.org/x/net@v0.0.0-20190404232315-eb5bcb51f2a3
golang.org/x/crypto@v0.0.0-20210921155107-089bfa567519 golang.org/x/net@v0.0.0-20210226172049-e18ecbb05110
golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e golang.org/x/net@v0.0.0-20190620200207-3b0461eec859
google.golang.org/grpc@v1.25.1 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.0.0-20190524140312-2c0ae7006135 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/grpc@v1.27.0 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.0.0-20190226205152-f727befe758c golang.org/x/net@v0.0.0-20190213061140-3a22650c66bd
google.golang.org/grpc@v1.19.0 golang.org/x/net@v0.0.0-20180826012351-8a410e7b638d
golang.org/x/tools@v0.0.0-20190311212946-11955173bddd golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/grpc@v1.23.0 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/appengine@v1.4.0 golang.org/x/net@v0.0.0-20180724234803-3673e40ba225
我检查了github.com/googleapis/google-api-go-client存储库,并找到了这个问题https://github.com/googleapis/google-api-go-client/issues/1048
它提到了相同的问题,但后来用户hashier表示,由于go list -m all命令显示的是最新版本,所以这不是一个问题。
所以,主要问题是:这是一个问题还是不是,为什么?
我不知道应该在这里修复什么,是github Dependabot的检查还是google-api-go-client模块的依赖关系。
英文:
Recently github.com Dependabot complained on some dependencies in my project which are vulnerable to DOS, have a "Broken or Risky Cryptographic Algorithm", and have a bug with "Uncontrolled Resource Consumption".
Specifically, it is warning me about CVE-2022-27664 for golang.org/x/net module, CVE-2022-27191 and CVE-2022-32149 for others.
What I did is to run "go get -u" on all the modules used there. Obviously, it didn't solve the problem. Then I started to look for module depndencies with "go graph". It took a while, and here is the dependency sequence I've found:
google.golang.org/api@v0.114.0 =>
go.opencensus.io@v0.24.0 =>
google.golang.org/grpc@v1.33.2 =>
github.com/envoyproxy/go-control-plane@v0.9.4 =>
google.golang.org/genproto@v0.0.0-20190819201941-24fa4b261c55 =>
golang.org/x/tools@v0.0.0-20190226205152-f727befe758c =>
google.golang.org/appengine@v1.4.0 =>
golang.org/x/net@v0.0.0-20180724234803-3673e40ba225
Which means that the most modern and updated google.golang.org/api package from Mar 17, 2023 cause dependency on the golang.org/x/net from 2018.
I see a lot of dependencies on the old net module from other google packages:
cloud.google.com/go/compute@v1.19.0 golang.org/x/net@v0.8.0
github.com/googleapis/gax-go/v2@v2.8.0 golang.org/x/net@v0.7.0
go.opencensus.io@v0.24.0 golang.org/x/net@v0.0.0-20201110031124-69a78807bb2b
golang.org/x/crypto@v0.7.0 golang.org/x/net@v0.8.0
golang.org/x/oauth2@v0.6.0 golang.org/x/net@v0.8.0
google.golang.org/api@v0.114.0 golang.org/x/net@v0.8.0
google.golang.org/appengine@v1.6.7 golang.org/x/net@v0.0.0-20190603091049-60506f45cf65
google.golang.org/genproto@v0.0.0-20230323212658-478b75c54725 golang.org/x/net@v0.8.0
google.golang.org/grpc@v1.54.0 golang.org/x/net@v0.8.0
golang.org/x/crypto@v0.6.0 golang.org/x/net@v0.6.0
google.golang.org/grpc@v1.33.2 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.1.12 golang.org/x/net@v0.0.0-20220722155237-a158d28d115b
golang.org/x/crypto@v0.0.0-20200622213623-75b288015ac9 golang.org/x/net@v0.0.0-20190404232315-eb5bcb51f2a3
golang.org/x/crypto@v0.0.0-20210921155107-089bfa567519 golang.org/x/net@v0.0.0-20210226172049-e18ecbb05110
golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e golang.org/x/net@v0.0.0-20190620200207-3b0461eec859
google.golang.org/grpc@v1.25.1 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.0.0-20190524140312-2c0ae7006135 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/grpc@v1.27.0 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.0.0-20190226205152-f727befe758c golang.org/x/net@v0.0.0-20190213061140-3a22650c66bd
google.golang.org/grpc@v1.19.0 golang.org/x/net@v0.0.0-20180826012351-8a410e7b638d
golang.org/x/tools@v0.0.0-20190311212946-11955173bddd golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/grpc@v1.23.0 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/appengine@v1.4.0 golang.org/x/net@v0.0.0-20180724234803-3673e40ba225
I've checked github.com/googleapis/google-api-go-client repository and found this issue https://github.com/googleapis/google-api-go-client/issues/1048
I says about the same problem, but later user hashier says that since go list -m all command shows the latest version it's not an issue.
So, the main question is: Is that an issue or not and why?
I just don't know what should be fixed here, github Dependabot checks or google-api-go-client module dependecies.
答案1
得分: 0
回答如下:
时间来回答这个问题。
在我通过在一个单独的草稿存储库中逐个检查项目中的所有包时,我发现这些有漏洞的依赖关系来自另一个存储库:github.com/go-gorm/postgres。
所以,我错误地确定了有漏洞的依赖关系的来源。显然,这是由于庞大的依赖关系图:
[0] $ go mod graph | wc
667 1334 56113
如果有人正在寻找一种可视化项目依赖关系的方法,这里有一个:
go mod graph | modgv | dot -Tsvg -o graph.svg
回到最初的问题。它是由于在github.com/go-gorm/postgres中使用的旧版本的Go引起的。据我了解,唯一的解决方法是将Go版本升级到1.18。如果版本较低,go mod graph会显示很多有漏洞的包。
英文:
Time to answer this.
As I found out experimenting with go mod graph checking all the packages in my project one by one in a separate draft repository, these vulnerable dependencies were coming from another repository: github.com/go-gorm/postgres.
So, I mistaken determining were vulnerable dependencies come from. Obviously it was due to enormous dependencies graph:
[0] $ go mod graph | wc
667 1334 56113
If someone is looking for a way to visualize project dependencies, here it is:
go mod graph | modgv | dot -Tsvg -o graph.svg
Turning back to the initial problem. It was caused by the old version of Go used in github.com/go-gorm/postgres. As I understood, the only way to fix it is to upgrade Go version to 1.18. If the version is lower, go mod graph shows a lot of vulnerable packages.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论