Bug #18491

Address jwt-go's security advisory

Added by Lucas Di Pentima about 2 months ago. Updated about 2 months ago.

Assigned To:
Target version:
Start date:
Due date:
% Done:


Estimated time:
(Total: 0.00 h)
Story points:
Release relationship:


One of controller's dependencies requires an upgrade because of security issues.


The project seems to have been taken over by a new maintainer team at: https://github.com/golang-jwt/jwt


Task #18493: Review 18491-jwt-go-upgradeResolvedLucas Di Pentima

Associated revisions

Revision 00b010f9 (diff)
Added by Lucas Di Pentima about 2 months ago

Merge branch '18491-jwt-go-upgrade' into main. Closes #18491.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>


#1 Updated by Lucas Di Pentima about 2 months ago

By using go mod graph I was able to see which dependency asked for this module:

lucas@buster:~/arvados$ go mod graph | grep jwt
github.com/Azure/go-autorest/autorest/adal@v0.9.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/Azure/go-autorest/autorest/adal@v0.9.2 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
lucas@buster:~/arvados$ go mod graph | grep adal@
github.com/Azure/go-autorest/autorest@v0.11.0 github.com/Azure/go-autorest/autorest/adal@v0.9.0
github.com/Azure/go-autorest/autorest/azure/cli@v0.4.0 github.com/Azure/go-autorest/autorest/adal@v0.9.0
github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1 github.com/Azure/go-autorest/autorest/adal@v0.9.2
github.com/Azure/go-autorest/autorest@v0.11.3 github.com/Azure/go-autorest/autorest/adal@v0.9.0
lucas@buster:~/arvados$ go mod graph | grep azure/cli
github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1 github.com/Azure/go-autorest/autorest/azure/cli@v0.4.0
lucas@buster:~/arvados$ go mod graph | grep azure/auth
git.arvados.org/arvados.git github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1

It seems that github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1 is the root of this requirement chain, I'll attempting an upgrade on it.

#2 Updated by Lucas Di Pentima about 2 months ago

Updates at d69ebd24d - branch 18491-jwt-go-upgrade
Test run: https://ci.arvados.org/job/developer-run-tests/2818/

  • Upgrades github.com/Azure/go-autorest/autorest/azure/auth to v.0.5.9 and all its dependencies.
  • Removes unused modules (including github.com/dgrijalva/jwt-go) by running: go mod tidy

#3 Updated by Lucas Di Pentima about 2 months ago

I'm getting the following test failure and I'm not sure why:

16:32:26 ----------------------------------------------------------------------
16:32:26 FAIL: container_gateway_test.go:189: ContainerGatewaySuite.TestConnect
16:32:26 connecting to localhost:37559
16:32:26 container_gateway_test.go:213:
16:32:26     c.Check(buf[:4], check.DeepEquals, []byte{0, 0, 1, 0xfc})
16:32:26 ... obtained []uint8 = []byte{0x0, 0x0, 0x2, 0xc}
16:32:26 ... expected []uint8 = []byte{0x0, 0x0, 0x1, 0xfc}

#4 Updated by Tom Clegg about 2 months ago

IIRC when I wrote that test I didn't know what the bytes meant, they just seemed to be equal each time. Now that I bother to look at RFC4253 it seems they're just the length of a data packet, so not worth testing. I think we can just delete that check. The previous line already checks that we can read 4 bytes after sending our banner, which seems good enough for this test's purposes.

#5 Updated by Lucas Di Pentima about 2 months ago

Thanks for the explanation!

I've updated the test at bc3637c90
Test run: https://ci.arvados.org/job/developer-run-tests/2822/

#6 Updated by Tom Clegg about 2 months ago

LGTM, thanks!

#7 Updated by Lucas Di Pentima about 2 months ago

  • Status changed from In Progress to Resolved

Applied in changeset arvados-private:commit:arvados|e163d0f19b52b4c15adb3d97f49bcacdbaf8dc89.

#8 Updated by Lucas Di Pentima about 2 months ago

To re-do this on the 2.3-dev branch, run the following:

$ go get -u github.com/Azure/go-autorest/autorest/azure/auth
$ go mod tidy

then, fix a test by removing the check from line 213 at file lib/controller/localdb/container_gateway_test.go

Also available in: Atom PDF