-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-3121 - gogo/protobuf #6429
Comments
Remove CVE-2021-3121 affected github.com/gogo/protobuf version from go.sum Signed-off-by: Xun Jiang <[email protected]>
Remove CVE-2021-3121 affected github.com/gogo/protobuf version from go.sum Signed-off-by: Xun Jiang <[email protected]>
This seems to be a false positive. As of go 1.17, all direct and indirect dependencies are included in go.mod. go.sum lists every dependency of every package prior to package version resolution, so multiple versions can be listed. Only one version of a package will be built, though, and that version should be specified in go.mod:
Also,
I also confirmed this by running
Note that Dependabot has stopped using go.sum for vulnerability scanning as well: https://github.blog/changelog/2023-03-07-dependency-graph-removes-go-sum-support/ |
Also, if you check PR/issue history, we fixed this CVE a while back, which is why the currently-included package for the build is the fixed version. I'd rather avoid |
Thank you for explaining this in detail! We will check with our scanning tools. |
Close for now. |
What steps did you take and what happened:
Our component governance tool is flagging gogo/protobuf (1.1.1, 1.2.1, 1.3.1) due to the CVE-2021-3121
CVE Description: An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Currently in go.sum: it is present at following place: https://github.com/vmware-tanzu/velero/blob/de83980a05059f0e41ed00f1cf0ef061a9ebc049/go.sum#L297C1-L299C87
We fixed it for some of our repos by adding the following redirect in go.mod
replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2
Vote on this issue!
This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.
The text was updated successfully, but these errors were encountered: