-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[main] Fix #6429 #6453
[main] Fix #6429 #6453
Conversation
Remove CVE-2021-3121 affected github.com/gogo/protobuf version from go.sum Signed-off-by: Xun Jiang <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #6453 +/- ##
==========================================
+ Coverage 59.14% 59.15% +0.01%
==========================================
Files 229 229
Lines 24184 24193 +9
==========================================
+ Hits 14303 14311 +8
- Misses 8880 8882 +2
+ Partials 1001 1000 -1 |
Thank you for the fix! |
LGTM |
This seems to be a false positive. As of go 1.17, all direct and indirect dependencies are included in go.mod. go.sum lists every dependency of every package prior to package version resolution, so multiple versions can be listed. Only one version of a package will be built, though, and that version should be specified in go.mod:
Also,
I also confirmed this by running
Note that Dependabot has stopped using go.sum for vulnerability scanning as well: https://github.blog/changelog/2023-03-07-dependency-graph-removes-go-sum-support/ |
Also, if you check PR/issue history, we fixed this CVE a while back, which is why the currently-included package for the build is the fixed version. I'd rather avoid replace directives when they're unnecessary as then later if a package requires a newer version of this package, the replace becomes a forced downgrade, which could introduce unexpected behavior or bugs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd recommend that we close this PR as unnecessary, but holding off on that until the reported issue is closed.
Remove CVE-2021-3121 affected github.com/gogo/protobuf version from go.sum
Thank you for contributing to Velero!
Please add a summary of your change
Does your change fix a particular issue?
Fixes #6429
Please indicate you've done the following:
/kind changelog-not-required
as a comment on this pull request.site/content/docs/main
.