Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security update for Go crypto pkg #6964

Merged
merged 4 commits into from
Dec 12, 2024
Merged

Security update for Go crypto pkg #6964

merged 4 commits into from
Dec 12, 2024

Conversation

jjngx
Copy link
Contributor

@jjngx jjngx commented Dec 12, 2024

Proposed changes

This PR contains upgrade for the crypto pkg issued by Go team: CVE

govulncheck -show verbose ./...
Scanning your code and 1103 packages across 98 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

Vulnerability #1: GO-2024-3321
    Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2024-3321
  Module: golang.org/x/crypto
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.

after the upgrade:

➜  kubernetes-ingress git:(chore/sec-patch) govulncheck -show verbose ./...
Scanning your code and 1103 packages across 98 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

No vulnerabilities found.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@jjngx jjngx added the needs cherry pick Cherry pick this PR into a release branch label Dec 12, 2024
@jjngx jjngx requested a review from a team as a code owner December 12, 2024 09:10
@github-actions github-actions bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Dec 12, 2024
@codecov Codecov
Copy link

codecov bot commented Dec 12, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 52.54%. Comparing base (6ce3e72) to head (de51058).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6964      +/-   ##
==========================================
- Coverage   52.57%   52.54%   -0.03%     
==========================================
  Files          88       88              
  Lines       20789    20803      +14     
==========================================
+ Hits        10929    10931       +2     
- Misses       9403     9417      +14     
+ Partials      457      455       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pdabelf5 pdabelf5 enabled auto-merge (squash) December 12, 2024 09:33
@pdabelf5 pdabelf5 merged commit 3c18788 into main Dec 12, 2024
80 checks passed
@pdabelf5 pdabelf5 deleted the chore/sec-patch branch December 12, 2024 11:22
nginx-bot pushed a commit that referenced this pull request Dec 12, 2024
@jjngx @web-flow
Security update for Go crypto pkg (#6964)
46e66ac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pdabelf5 pdabelf5 pdabelf5 approved these changes

@AlexFenlon AlexFenlon AlexFenlon approved these changes

@vepatel vepatel vepatel approved these changes

@j1m-ryan j1m-ryan j1m-ryan approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code needs cherry pick Cherry pick this PR into a release branch
Projects
NGINX Ingress Controller
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jjngx @j1m-ryan @vepatel @AlexFenlon @pdabelf5