Bug #18491
closed
Address jwt-go's security advisory
Description
One of controller's dependencies requires an upgrade because of security issues.
https://github.com/advisories/GHSA-w73w-5m7g-f7qc
The project seems to have been taken over by a new maintainer team at: https://github.com/golang-jwt/jwt
Updated by Lucas Di Pentima about 3 years ago
By using go mod graph I was able to see which dependency asked for this module:
lucas@buster:~/arvados$ go mod graph | grep jwt github.com/Azure/go-autorest/autorest/adal@v0.9.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible github.com/Azure/go-autorest/autorest/adal@v0.9.2 github.com/dgrijalva/jwt-go@v3.2.0+incompatible lucas@buster:~/arvados$ go mod graph | grep adal@ [...] github.com/Azure/go-autorest/autorest@v0.11.0 github.com/Azure/go-autorest/autorest/adal@v0.9.0 [...] github.com/Azure/go-autorest/autorest/azure/cli@v0.4.0 github.com/Azure/go-autorest/autorest/adal@v0.9.0 github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1 github.com/Azure/go-autorest/autorest/adal@v0.9.2 github.com/Azure/go-autorest/autorest@v0.11.3 github.com/Azure/go-autorest/autorest/adal@v0.9.0 lucas@buster:~/arvados$ go mod graph | grep azure/cli [...] github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1 github.com/Azure/go-autorest/autorest/azure/cli@v0.4.0 lucas@buster:~/arvados$ go mod graph | grep azure/auth git.arvados.org/arvados.git github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1 [...]
It seems that github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1 is the root of this requirement chain, I'll attempting an upgrade on it.
Updated by Lucas Di Pentima about 3 years ago
Updates at d69ebd24d - branch 18491-jwt-go-upgrade
Test run: developer-run-tests: #2818
- Upgrades
github.com/Azure/go-autorest/autorest/azure/authto v.0.5.9 and all its dependencies. - Removes unused modules (including
github.com/dgrijalva/jwt-go) by running:go mod tidy
Updated by Lucas Di Pentima about 3 years ago
I'm getting the following test failure and I'm not sure why:
16:32:26 ----------------------------------------------------------------------
16:32:26 FAIL: container_gateway_test.go:189: ContainerGatewaySuite.TestConnect
16:32:26
16:32:26 connecting to localhost:37559
16:32:26 container_gateway_test.go:213:
16:32:26 c.Check(buf[:4], check.DeepEquals, []byte{0, 0, 1, 0xfc})
16:32:26 ... obtained []uint8 = []byte{0x0, 0x0, 0x2, 0xc}
16:32:26 ... expected []uint8 = []byte{0x0, 0x0, 0x1, 0xfc}
Updated by Tom Clegg about 3 years ago
IIRC when I wrote that test I didn't know what the bytes meant, they just seemed to be equal each time. Now that I bother to look at RFC4253 it seems they're just the length of a data packet, so not worth testing. I think we can just delete that check. The previous line already checks that we can read 4 bytes after sending our banner, which seems good enough for this test's purposes.
Updated by Lucas Di Pentima about 3 years ago
Thanks for the explanation!
I've updated the test at bc3637c90
Test run: developer-run-tests: #2822
Updated by Lucas Di Pentima about 3 years ago
- Status changed from In Progress to Resolved
Applied in changeset arvados-private:commit:arvados|e163d0f19b52b4c15adb3d97f49bcacdbaf8dc89.
Updated by Lucas Di Pentima about 3 years ago
To re-do this on the 2.3-dev branch, run the following:
$ go get -u github.com/Azure/go-autorest/autorest/azure/auth $ go mod tidy
then, fix a test by removing the check from line 213 at file lib/controller/localdb/container_gateway_test.go