Update deps for existing vulnerabilities #284
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Details
Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.
Vulnerability 1: GO-2022-0236
A malicious HTTP server or client can cause the net/http client
or server to panic. ReadRequest and ReadResponse can hit an
unrecoverable panic when reading a very large header (over 7MB
on 64-bit architectures, or over 4MB on 32-bit ones). Transport
and Client are vulnerable and the program can be made to crash
by a malicious server. Server is not vulnerable by default, but
can be if the default max header of 1MB is overridden by setting
Server.MaxHeaderBytes to a higher value, in which case the
program can be made to crash by a malicious client. This also
affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken
in golang.org/x/net/http/httpguts.
Call stacks in your code:
requester/requester.go:185:19: github.com/rakyll/hey/requester.Work.makeRequest calls net/http.Client.Do, which eventually calls golang.org/x/net/http/httpguts.HeaderValuesContainsToken
Found in: golang.org/x/net/http/[email protected]
Fixed in: golang.org/x/net/http/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0236
Informational
The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability 1: GO-2022-0288
An attacker can cause unbounded memory growth in servers accepting
HTTP/2 requests.
Found in: golang.org/x/net/[email protected]
Fixed in: golang.org/x/net/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0288
Vulnerability 2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String.
If used to parse user supplied input, this may be used as a denial of service
vector.
Found in: golang.org/x/text/[email protected]
Fixed in: golang.org/x/text/[email protected]
More info: https://pkg.go.dev/vuln/GO-2020-0015
Test
Build