Update dependencies to latest versions#1039
Open
kgaughan wants to merge 2 commits intogoss-org:masterfrom
Open
Update dependencies to latest versions#1039kgaughan wants to merge 2 commits intogoss-org:masterfrom
kgaughan wants to merge 2 commits intogoss-org:masterfrom
Conversation
Some of the messages the integration tests expect change in more recent versions of Go. Further, the .editorconfig file leads to trailing whitespace being removed. It's a bit of a coin-toss as to whether the right solution here is to override whitespace trimming for just the `testcase` directory or to instead perform some normalization of the expected and actual strings to trim this whitespace, so I did both.
Collaborator
|
This lgtm, but Travis must be persuaded to run. @aelsabbahy / @ripienaar - is that something you can address? |
I've also fixed two spots that cause 'make test' to fail with a 'non-constant format string' error.
Author
|
@aelsabbahy Any chance you could spare some time to take a look at this? My most recent push to this PR addresses these issues associated with CVEs flagged by govulncheck: $ govulncheck -show verbose ./...
Fetching vulnerabilities from the database...
Checking the code against the vulnerabilities...
The package pattern matched the following 7 root packages:
github.com/goss-org/goss/matchers
github.com/goss-org/goss/util
github.com/goss-org/goss/system
github.com/goss-org/goss/resource
github.com/goss-org/goss/outputs
github.com/goss-org/goss
github.com/goss-org/goss/cmd/goss
Govulncheck scanned the following 46 modules and the go1.26.2 standard library:
github.com/goss-org/goss
dario.cat/mergo@v1.0.1
github.com/Masterminds/goutils@v1.1.1
github.com/Masterminds/semver/v3@v3.3.0
github.com/Masterminds/sprig/v3@v3.3.0
github.com/achanda/go-sysctl@v0.0.0-20160222034550-6be7678c45d2
github.com/beorn7/perks@v1.0.1
github.com/blang/semver/v4@v4.0.0
github.com/cespare/xxhash/v2@v2.3.0
github.com/cpuguy83/go-md2man/v2@v2.0.3
github.com/fatih/color@v1.17.0
github.com/google/go-cmp@v0.6.0
github.com/google/uuid@v1.6.0
github.com/goss-org/GOnetstat@v0.0.0-20230101144325-22be0bd9e64d
github.com/goss-org/go-ps@v0.0.0-20230609005227-7b318e6a56e5
github.com/hashicorp/logutils@v1.0.0
github.com/huandu/xstrings@v1.5.0
github.com/mattn/go-colorable@v0.1.13
github.com/mattn/go-isatty@v0.0.20
github.com/miekg/dns@v1.1.61
github.com/mitchellh/copystructure@v1.2.0
github.com/mitchellh/reflectwalk@v1.0.2
github.com/moby/sys/mountinfo@v0.7.1
github.com/munnerz/goautoneg@v0.0.0-20191010083416-a7dc8b61c822
github.com/oleiade/reflections@v1.0.1
github.com/onsi/gomega@v1.33.1
github.com/patrickmn/go-cache@v2.1.0+incompatible
github.com/pmezard/go-difflib@v1.0.0
github.com/prometheus/client_golang@v1.19.1
github.com/prometheus/client_model@v0.6.1
github.com/prometheus/common@v0.55.0
github.com/prometheus/procfs@v0.15.1
github.com/russross/blackfriday/v2@v2.1.0
github.com/samber/lo@v1.46.0
github.com/shopspring/decimal@v1.4.0
github.com/spf13/cast@v1.7.0
github.com/tidwall/gjson@v1.17.1
github.com/tidwall/match@v1.1.1
github.com/tidwall/pretty@v1.2.1
github.com/urfave/cli@v1.22.14
golang.org/x/crypto@v0.26.0
golang.org/x/net@v0.27.0
golang.org/x/sys@v0.23.0
golang.org/x/text@v0.17.0
google.golang.org/protobuf@v1.34.2
gopkg.in/yaml.v3@v3.0.1
=== Symbol Results ===
No vulnerabilities found.
=== Package Results ===
Vulnerability #1: GO-2026-4441
Infinite parsing loop in golang.org/x/net
More info: https://pkg.go.dev/vuln/GO-2026-4441
Module: golang.org/x/net
Found in: golang.org/x/net@v0.27.0
Fixed in: golang.org/x/net@v0.45.0
Vulnerability #2: GO-2026-4440
Quadratic parsing complexity in golang.org/x/net/html
More info: https://pkg.go.dev/vuln/GO-2026-4440
Module: golang.org/x/net
Found in: golang.org/x/net@v0.27.0
Fixed in: golang.org/x/net@v0.45.0
Vulnerability #3: GO-2025-3595
Incorrect Neutralization of Input During Web Page Generation in x/net in
golang.org/x/net
More info: https://pkg.go.dev/vuln/GO-2025-3595
Module: golang.org/x/net
Found in: golang.org/x/net@v0.27.0
Fixed in: golang.org/x/net@v0.38.0
Vulnerability #4: GO-2024-3333
Non-linear parsing of case-insensitive content in golang.org/x/net/html
More info: https://pkg.go.dev/vuln/GO-2024-3333
Module: golang.org/x/net
Found in: golang.org/x/net@v0.27.0
Fixed in: golang.org/x/net@v0.33.0
=== Module Results ===
Vulnerability #1: GO-2025-4135
Malformed constraint may cause denial of service in
golang.org/x/crypto/ssh/agent
More info: https://pkg.go.dev/vuln/GO-2025-4135
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.26.0
Fixed in: golang.org/x/crypto@v0.45.0
Vulnerability #2: GO-2025-4134
Unbounded memory consumption in golang.org/x/crypto/ssh
More info: https://pkg.go.dev/vuln/GO-2025-4134
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.26.0
Fixed in: golang.org/x/crypto@v0.45.0
Vulnerability #3: GO-2025-4116
Potential denial of service in golang.org/x/crypto/ssh/agent
More info: https://pkg.go.dev/vuln/GO-2025-4116
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.26.0
Fixed in: golang.org/x/crypto@v0.43.0
Vulnerability #4: GO-2025-3503
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
More info: https://pkg.go.dev/vuln/GO-2025-3503
Module: golang.org/x/net
Found in: golang.org/x/net@v0.27.0
Fixed in: golang.org/x/net@v0.36.0
Vulnerability #5: GO-2025-3487
Potential denial of service in golang.org/x/crypto
More info: https://pkg.go.dev/vuln/GO-2025-3487
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.26.0
Fixed in: golang.org/x/crypto@v0.35.0
Vulnerability #6: GO-2024-3321
Misuse of connection.serverAuthenticate may cause authorization bypass in
golang.org/x/crypto
More info: https://pkg.go.dev/vuln/GO-2024-3321
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.26.0
Fixed in: golang.org/x/crypto@v0.31.0Now, I'll note that it also says this at the end: So goss itself shouldn't be affected by any vulnerabilities, but it's still good hygiene to get them updated. You might notice that I haven't updated |
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Checklist
make test-all(UNIX) passes. CI will also test thisDescription of change
Update dependencies to the latest versions and build against Go 1.24.
Owing to some changes between Go 1.23 and 1.24, #1038 needs to be merged first to prevent some spurious linter errors from appearing. Note that the same integration test issues I noted in that PR also apply here.
Some of the messages the integration tests expect change in more recent versions of Go.
Further, the .editorconfig file leads to trailing whitespace being removed. It's a bit of a coin-toss as to whether the right solution here is to override whitespace trimming for just the
testcasedirectory or to instead perform some normalization of the expected and actual strings to trim this whitespace, so I did both.Fixes #1027, #1008.
This and #1038 cover some of the same ground as #1032, which is worth revisiting if this and #1038 are merged.