Skip to content

Upgrading Go version and dependencies #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JamesBelchamber merged 1 commit into from
Jul 1, 2025
Merged

Upgrading Go version and dependencies #4

JamesBelchamber merged 1 commit into from
Jul 1, 2025

Conversation

@JamesBelchamber
Copy link

@JamesBelchamber JamesBelchamber commented Jun 23, 2025

Fixes the following issue raised by revive (by changing from max to maxMessages):

  ⚠  https://revive.run/r#redefines-builtin-id  redefinition of the built-in function max  
  pubsub/memory.go:65:81

  ⚠  https://revive.run/r#redefines-builtin-id  redefinition of the built-in function max  
  pubsub/memory.go:70:2

  ⚠  https://revive.run/r#redefines-builtin-id  redefinition of the built-in function max  
  pubsub/gcp.go:91:83

  ⚠  https://revive.run/r#redefines-builtin-id  redefinition of the built-in function max  
  pubsub/mongo.go:111:81

  ⚠  https://revive.run/r#var-naming  avoid meaningless package names  
  types/types_test.go:1:9

⚠ 5 problems (0 errors, 5 warnings)

And the following issues raised by govulncheck (by updating Go and all packages):

Vulnerability #1: GO-2025-3751
    Sensitive headers not cleared on cross-origin redirect in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3751
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
##[error]      #1: records/dynamoDbStore.go:177:25: records.DynamoDbRecordStore.WriteRecord calls dynamodb.Client.PutItem, which eventually calls http.Client.Do
##[error]      #2: secrets/gcpSecretsManager.go:28:40: secrets.NewGcpSecretsManager calls apiv1.NewClient, which eventually calls http.Client.PostForm

Vulnerability #2: GO-2025-3750
    Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in
    syscall
  More info: https://pkg.go.dev/vuln/GO-2025-3750
  Standard library
    Found in: [email protected]
    Fixed in: [email protected]
    Platforms: windows
    Example traces found:
##[error]      #1: router/router.go:134:16: router.RunRouter calls log.Logger.Fatal, which eventually calls os.CreateTemp
##[error]      #2: router/router.go:42:15: router.RunRouter calls echo.New, which eventually calls os.Getwd
##[error]      #3: secrets/gcpSecretsManager.go:6:2: secrets.init calls os.init, which calls os.NewFile
##[error]      #4: cmd/jb-sw-realm/main.go:70:28: jb.main calls rand.Read, which eventually calls os.Open
##[error]      #5: records/mongoStore.go:58:30: records.NewMongoRecordStore calls mongo.Connect, which eventually calls os.OpenFile
##[error]      #6: records/mongoStore.go:58:30: records.NewMongoRecordStore calls mongo.Connect, which eventually calls os.Pipe
##[error]      #7: cmd/jb-sw-realm/main.go:120:24: jb.main calls trace.TracerProvider.Shutdown, which eventually calls os.ReadDir
##[error]      #8: records/mongoStore.go:57:44: records.NewMongoRecordStore calls options.ClientOptions.ApplyURI, which eventually calls os.ReadFile
##[error]      #9: router/router.go:134:24: router.RunRouter calls echo.Echo.Start, which eventually calls os.Remove
##[error]      #10: records/dynamoDbStore.go:177:25: records.DynamoDbRecordStore.WriteRecord calls dynamodb.Client.PutItem, which eventually calls os.Rename
##[error]      #11: records/mongoStore.go:58:30: records.NewMongoRecordStore calls mongo.Connect, which eventually calls os.StartProcess
##[error]      #12: records/mongoStore.go:58:30: records.NewMongoRecordStore calls mongo.Connect, which eventually calls os.Stat
##[error]      #13: pubsub/aws.go:78:27: pubsub.sqsClient.Publish calls json.Marshal, which eventually calls os.WriteFile
##[error]      #14: router/router.go:42:15: router.RunRouter calls echo.New, which eventually calls syscall.Open

Vulnerability #3: GO-2025-3563
    Request smuggling due to acceptance of invalid chunked data in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3563
  Standard library
    Found in: net/http/[email protected]
    Fixed in: net/http/[email protected]
    Example traces found:
##[error]      #1: cmd/jb-sw-realm/main.go:70:28: jb.main calls rand.Read, which eventually calls internal.chunkedReader.Read

Vulnerability #4: GO-2025-3553
    Excessive memory allocation during header parsing in
    github.com/golang-jwt/jwt
  More info: https://pkg.go.dev/vuln/GO-2025-3553
  Module: github.com/golang-jwt/jwt
    Found in: github.com/golang-jwt/[email protected]+incompatible
    Fixed in: N/A
    Example traces found:
##[error]      #1: router/router.go:29:2: router.init calls middleware.init, which calls jwt.init

  Module: github.com/golang-jwt/jwt/v5
    Found in: github.com/golang-jwt/jwt/[email protected]
    Fixed in: github.com/golang-jwt/jwt/[email protected]
    Example traces found:
##[error]      #1: router/tenant_log.go:50:37: router.AddTenantLogHandlers calls jwt.ParseWithClaims, which eventually calls jwt.Parser.ParseUnverified

Vulnerability #5: GO-2025-3447
    Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec
  More info: https://pkg.go.dev/vuln/GO-2025-3447
  Standard library
    Found in: crypto/internal/[email protected]
    Fixed in: crypto/internal/[email protected]
    Platforms: ppc64le
    Example traces found:
##[error]      #1: records/mongoStore.go:57:44: records.NewMongoRecordStore calls options.ClientOptions.ApplyURI, which eventually calls nistec.P256Point.ScalarBaseMult
##[error]      #2: router/router.go:134:24: router.RunRouter calls echo.Echo.Start, which eventually calls nistec.P256Point.ScalarMult
##[error]      #3: secrets/secretsManager.go:78:42: secrets.ParseAuthKey calls x509.ParsePKIXPublicKey, which eventually calls nistec.P256Point.SetBytes

Vulnerability #6: GO-2025-3420
    Sensitive headers incorrectly sent after cross-domain redirect in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3420
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
##[error]      #1: records/dynamoDbStore.go:177:25: records.DynamoDbRecordStore.WriteRecord calls dynamodb.Client.PutItem, which eventually calls http.Client.Do
##[error]      #2: secrets/gcpSecretsManager.go:28:40: secrets.NewGcpSecretsManager calls apiv1.NewClient, which eventually calls http.Client.PostForm

Vulnerability #7: GO-2025-3373
    Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-3373
  Standard library
    Found in: crypto/[email protected]
    Fixed in: crypto/[email protected]
    Example traces found:
##[error]      #1: records/mongoStore.go:57:44: records.NewMongoRecordStore calls options.ClientOptions.ApplyURI, which eventually calls x509.CertPool.AppendCertsFromPEM
##[error]      #2: records/mongoStore.go:58:30: records.NewMongoRecordStore calls mongo.Connect, which eventually calls x509.Certificate.CheckSignature
##[error]      #3: records/mongoStore.go:58:30: records.NewMongoRecordStore calls mongo.Connect, which eventually calls x509.Certificate.CheckSignatureFrom
##[error]      #4: router/router.go:134:24: router.RunRouter calls echo.Echo.Start, which eventually calls x509.Certificate.Verify
##[error]      #5: router/router.go:134:24: router.RunRouter calls echo.Echo.Start, which eventually calls x509.Certificate.VerifyHostname
##[error]      #6: records/mongoStore.go:57:44: records.NewMongoRecordStore calls options.ClientOptions.ApplyURI, which eventually calls x509.DecryptPEMBlock
##[error]      #7: types/types.go:121:20: types.HTTPError.Error calls x509.HostnameError.Error
##[error]      #8: records/mongoStore.go:57:44: records.NewMongoRecordStore calls options.ClientOptions.ApplyURI, which eventually calls x509.MarshalPKCS8PrivateKey
##[error]      #9: records/mongoStore.go:57:44: records.NewMongoRecordStore calls options.ClientOptions.ApplyURI, which eventually calls x509.ParseCertificate
##[error]      #10: records/mongoStore.go:57:44: records.NewMongoRecordStore calls options.ClientOptions.ApplyURI, which eventually calls x509.ParseECPrivateKey
##[error]      #11: records/mongoStore.go:57:44: records.NewMongoRecordStore calls options.ClientOptions.ApplyURI, which eventually calls x509.ParsePKCS1PrivateKey
##[error]      #12: records/mongoStore.go:57:44: records.NewMongoRecordStore calls options.ClientOptions.ApplyURI, which eventually calls x509.ParsePKCS8PrivateKey
##[error]      #13: secrets/secretsManager.go:78:42: secrets.ParseAuthKey calls x509.ParsePKIXPublicKey

Vulnerability #8: GO-2024-3106
    Stack exhaustion in Decoder.Decode in encoding/gob
  More info: https://pkg.go.dev/vuln/GO-2024-3106
  Standard library
    Found in: encoding/[email protected]
    Fixed in: encoding/[email protected]
    Example traces found:
##[error]      #1: cmd/jb-sw-realm/main.go:120:24: jb.main calls trace.TracerProvider.Shutdown, which eventually calls gob.Decoder.Decode

Your code is affected by 8 vulnerabilities from 1 module and the Go standard library.
This scan also found 2 vulnerabilities in packages you import and 8
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.

@JamesBelchamber JamesBelchamber merged commit 5308710 into main Jul 1, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JamesBelchamber