Golang:如何处理 golang.org/x/net 上已过时的 google.golang.org/api 依赖项

huangapple go评论89阅读模式
英文:

Golang: what to do with google.golang.org/api obsolete dependencies on golang.org/x/net

问题

最近,github.com的Dependabot在我的项目中发现了一些存在漏洞的依赖项,这些漏洞可能导致DOS攻击,存在“破损或有风险的加密算法”,以及存在“无法控制的资源消耗”的错误。

具体来说,它警告我关于golang.org/x/net模块的CVE-2022-27664,以及其他一些模块的CVE-2022-27191和CVE-2022-32149。

我尝试运行了"go get -u"命令来更新所有使用的模块,但显然这并没有解决问题。然后我开始使用"go graph"查找模块依赖关系。这花了一些时间,下面是我找到的依赖序列:

google.golang.org/api@v0.114.0 =>
go.opencensus.io@v0.24.0 =>
google.golang.org/grpc@v1.33.2 =>
github.com/envoyproxy/go-control-plane@v0.9.4 =>
google.golang.org/genproto@v0.0.0-20190819201941-24fa4b261c55 =>
golang.org/x/tools@v0.0.0-20190226205152-f727befe758c =>
google.golang.org/appengine@v1.4.0 =>
golang.org/x/net@v0.0.0-20180724234803-3673e40ba225

这意味着最新和更新的google.golang.org/api包(来自2023年3月17日)依赖于2018年的golang.org/x/net

我看到其他谷歌包中对旧net模块的许多依赖关系:

cloud.google.com/go/compute@v1.19.0 golang.org/x/net@v0.8.0
github.com/googleapis/gax-go/v2@v2.8.0 golang.org/x/net@v0.7.0
go.opencensus.io@v0.24.0 golang.org/x/net@v0.0.0-20201110031124-69a78807bb2b
golang.org/x/crypto@v0.7.0 golang.org/x/net@v0.8.0
golang.org/x/oauth2@v0.6.0 golang.org/x/net@v0.8.0
google.golang.org/api@v0.114.0 golang.org/x/net@v0.8.0
google.golang.org/appengine@v1.6.7 golang.org/x/net@v0.0.0-20190603091049-60506f45cf65
google.golang.org/genproto@v0.0.0-20230323212658-478b75c54725 golang.org/x/net@v0.8.0
google.golang.org/grpc@v1.54.0 golang.org/x/net@v0.8.0
golang.org/x/crypto@v0.6.0 golang.org/x/net@v0.6.0
google.golang.org/grpc@v1.33.2 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.1.12 golang.org/x/net@v0.0.0-20220722155237-a158d28d115b
golang.org/x/crypto@v0.0.0-20200622213623-75b288015ac9 golang.org/x/net@v0.0.0-20190404232315-eb5bcb51f2a3
golang.org/x/crypto@v0.0.0-20210921155107-089bfa567519 golang.org/x/net@v0.0.0-20210226172049-e18ecbb05110
golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e golang.org/x/net@v0.0.0-20190620200207-3b0461eec859
google.golang.org/grpc@v1.25.1 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.0.0-20190524140312-2c0ae7006135 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/grpc@v1.27.0 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.0.0-20190226205152-f727befe758c golang.org/x/net@v0.0.0-20190213061140-3a22650c66bd
google.golang.org/grpc@v1.19.0 golang.org/x/net@v0.0.0-20180826012351-8a410e7b638d
golang.org/x/tools@v0.0.0-20190311212946-11955173bddd golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/grpc@v1.23.0 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/appengine@v1.4.0 golang.org/x/net@v0.0.0-20180724234803-3673e40ba225

我检查了github.com/googleapis/google-api-go-client存储库,并找到了这个问题https://github.com/googleapis/google-api-go-client/issues/1048
它提到了相同的问题,但后来用户hashier表示,由于go list -m all命令显示的是最新版本,所以这不是一个问题。

所以,主要问题是:这是一个问题还是不是,为什么?

我不知道应该在这里修复什么,是github Dependabot的检查还是google-api-go-client模块的依赖关系。

英文:

Recently github.com Dependabot complained on some dependencies in my project which are vulnerable to DOS, have a "Broken or Risky Cryptographic Algorithm", and have a bug with "Uncontrolled Resource Consumption".

Specifically, it is warning me about CVE-2022-27664 for golang.org/x/net module, CVE-2022-27191 and CVE-2022-32149 for others.

What I did is to run "go get -u" on all the modules used there. Obviously, it didn't solve the problem. Then I started to look for module depndencies with "go graph". It took a while, and here is the dependency sequence I've found:

google.golang.org/api@v0.114.0 =>
go.opencensus.io@v0.24.0 =>
google.golang.org/grpc@v1.33.2 =>
github.com/envoyproxy/go-control-plane@v0.9.4 =>
google.golang.org/genproto@v0.0.0-20190819201941-24fa4b261c55 =>
golang.org/x/tools@v0.0.0-20190226205152-f727befe758c =>
google.golang.org/appengine@v1.4.0 =>
golang.org/x/net@v0.0.0-20180724234803-3673e40ba225

Which means that the most modern and updated google.golang.org/api package from Mar 17, 2023 cause dependency on the golang.org/x/net from 2018.

I see a lot of dependencies on the old net module from other google packages:

cloud.google.com/go/compute@v1.19.0 golang.org/x/net@v0.8.0
github.com/googleapis/gax-go/v2@v2.8.0 golang.org/x/net@v0.7.0
go.opencensus.io@v0.24.0 golang.org/x/net@v0.0.0-20201110031124-69a78807bb2b
golang.org/x/crypto@v0.7.0 golang.org/x/net@v0.8.0
golang.org/x/oauth2@v0.6.0 golang.org/x/net@v0.8.0
google.golang.org/api@v0.114.0 golang.org/x/net@v0.8.0
google.golang.org/appengine@v1.6.7 golang.org/x/net@v0.0.0-20190603091049-60506f45cf65
google.golang.org/genproto@v0.0.0-20230323212658-478b75c54725 golang.org/x/net@v0.8.0
google.golang.org/grpc@v1.54.0 golang.org/x/net@v0.8.0
golang.org/x/crypto@v0.6.0 golang.org/x/net@v0.6.0
google.golang.org/grpc@v1.33.2 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.1.12 golang.org/x/net@v0.0.0-20220722155237-a158d28d115b
golang.org/x/crypto@v0.0.0-20200622213623-75b288015ac9 golang.org/x/net@v0.0.0-20190404232315-eb5bcb51f2a3
golang.org/x/crypto@v0.0.0-20210921155107-089bfa567519 golang.org/x/net@v0.0.0-20210226172049-e18ecbb05110
golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e golang.org/x/net@v0.0.0-20190620200207-3b0461eec859
google.golang.org/grpc@v1.25.1 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.0.0-20190524140312-2c0ae7006135 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/grpc@v1.27.0 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.0.0-20190226205152-f727befe758c golang.org/x/net@v0.0.0-20190213061140-3a22650c66bd
google.golang.org/grpc@v1.19.0 golang.org/x/net@v0.0.0-20180826012351-8a410e7b638d
golang.org/x/tools@v0.0.0-20190311212946-11955173bddd golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/grpc@v1.23.0 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/appengine@v1.4.0 golang.org/x/net@v0.0.0-20180724234803-3673e40ba225

I've checked github.com/googleapis/google-api-go-client repository and found this issue https://github.com/googleapis/google-api-go-client/issues/1048
I says about the same problem, but later user hashier says that since go list -m all command shows the latest version it's not an issue.

So, the main question is: Is that an issue or not and why?

I just don't know what should be fixed here, github Dependabot checks or google-api-go-client module dependecies.

答案1

得分: 0

回答如下:

时间来回答这个问题。

在我通过在一个单独的草稿存储库中逐个检查项目中的所有包时,我发现这些有漏洞的依赖关系来自另一个存储库:github.com/go-gorm/postgres

所以,我错误地确定了有漏洞的依赖关系的来源。显然,这是由于庞大的依赖关系图:

[0] $ go mod graph | wc
    667    1334   56113

如果有人正在寻找一种可视化项目依赖关系的方法,这里有一个:

go mod graph | modgv | dot -Tsvg -o graph.svg

回到最初的问题。它是由于在github.com/go-gorm/postgres中使用的旧版本的Go引起的。据我了解,唯一的解决方法是将Go版本升级到1.18。如果版本较低,go mod graph会显示很多有漏洞的包。

英文:

Time to answer this.

As I found out experimenting with go mod graph checking all the packages in my project one by one in a separate draft repository, these vulnerable dependencies were coming from another repository: github.com/go-gorm/postgres.

So, I mistaken determining were vulnerable dependencies come from. Obviously it was due to enormous dependencies graph:

[0] $ go mod graph | wc
    667    1334   56113

If someone is looking for a way to visualize project dependencies, here it is:

go mod graph | modgv | dot -Tsvg -o graph.svg

Turning back to the initial problem. It was caused by the old version of Go used in github.com/go-gorm/postgres. As I understood, the only way to fix it is to upgrade Go version to 1.18. If the version is lower, go mod graph shows a lot of vulnerable packages.

huangapple
  • 本文由 发表于 2023年3月26日 22:31:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/75848317.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定