[HPR-1421] Address reported CVEs along with Go toolchain vulnerabilities #208
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
nywilken
commented
Oct 2, 2023
nywilken
commented
- Update gopkg.in/yaml.v3 to address CVE-2022-28948
- Bump github.com/dylanmei/winrmtest to address CVE-2021-3538
- Bump golang.org/x/net to address CVE-2023-3978
This change address the yaml.v3 advisory reported for v0.5.1 https://deps.dev/go/github.com%2Fhashicorp%2Fpacker-plugin-sdk/v0.5.1
The latest available release of github.com/dylanmei/winrmtest removes its dependency on github.com/satori/go.uuid, which was affected by CVE-2021-3539 https://deps.dev/advisory/osv/GO-2020-0018
Addresses vulnerability with improper rendering of text nodes in golang.org/x/net/html
nywilken
force-pushed
the
fix/dependency-cves-v0.5.2
branch
2 times, most recently
from
597703b to
fd541be
Compare
nywilken
changed the title
nywilken
added
enhancement
nywilken
force-pushed
the
fix/dependency-cves-v0.5.2
branch
from
aaddcb0 to
fd541be
Compare
nywilken
force-pushed
the
fix/dependency-cves-v0.5.2
branch
4 times, most recently
from
ddf1150 to
3c0f418
Compare
This change was made to address a number of vulnerabilities reported by govulncheck in Go 1.19.13 Support for Go1.19 is removed with this change. Moving forward the minimum Go version will be bumped after a new Go minor version is released. ``` ~> govulncheck ./... Scanning your code and 599 packages across 99 dependent modules for known vulnerabilities... Vulnerability #1: GO-2023-2043 Improper handling of special tags within script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2043 Standard library Found in: html/[email protected] Fixed in: html/[email protected] Example traces found: #1: multistep/commonsteps/step_http_server.go:123:2: commonsteps.StepHTTPServer.Run calls http.Server.Serve, which eventually calls template.Template.Execute #2: multistep/commonsteps/step_http_server.go:123:2: commonsteps.StepHTTPServer.Run calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate Vulnerability #2: GO-2023-2041 Improper handling of HTML-like comments in script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2041 Standard library Found in: html/[email protected] Fixed in: html/[email protected] Example traces found: #1: multistep/commonsteps/step_http_server.go:123:2: commonsteps.StepHTTPServer.Run calls http.Server.Serve, which eventually calls template.Template.Execute #2: multistep/commonsteps/step_http_server.go:123:2: commonsteps.StepHTTPServer.Run calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate Your code is affected by 2 vulnerabilities from the Go standard library. ```
nywilken
force-pushed
the
fix/dependency-cves-v0.5.2
branch
from
3c0f418 to
7587a60
Compare
lbajolet-hashicorp
approved these changes
Oct 13, 2023
Contributor
lbajolet-hashicorp
left a comment
lbajolet-hashicorp
left a comment
There was a problem hiding this comment.
LGTM, good catch
jooola
referenced
this pull request
in hetznercloud/packer-plugin-hcloud
Nov 28, 2023
…123) [](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/hashicorp/packer-plugin-sdk](https://togithub.com/hashicorp/packer-plugin-sdk) | require | patch | `v0.5.1` -> `v0.5.2` | --- ### Release Notes <details> <summary>hashicorp/packer-plugin-sdk (github.com/hashicorp/packer-plugin-sdk)</summary> ### [`v0.5.2`](https://togithub.com/hashicorp/packer-plugin-sdk/releases/tag/v0.5.2) [Compare Source](https://togithub.com/hashicorp/packer-plugin-sdk/compare/v0.5.1...v0.5.2) <!-- Release notes generated using configuration in .github/release.yml at v0.5.2 --> #### Upgrade Notes Upgrading to this release may fail until you've applied one of the fixes documented in [packer-plugin-sdk#187](https://togithub.com/hashicorp/packer-plugin-sdk/issues/187#user-content-available-fixes). Consumers of the Packer plugin SDK require a replace directive within their plugin's go module file to point to a compatible version of go-cty. The replace directive subject to change in future releases can be applied by running the `packer-sdc fix` sub-command to apply the replace directive to your plugin with a recommended version of the go-cty fork. Plugins already working with Packer Plugin SDK v0.5.1 are advised to apply the updated SDK fixes by re-running `packer-sdc fix` against the plugin's root directory. The updated SDK fixes will bump the supported version of the go-cty fork to v1.13.3, which is required for working with hcl/v2 version 2.17.0 and above. - **Bumped github.com/zclconf/go-cty to v1.13.1**: to bring in the latest supported changes of zclconf/go-cty and hashicorp/hcl/v2 to the SDK. - **Bumped github.com/hashicorp/hcl/v2 to v2.19.1**: to bring in support for the latest HCL/v2 refinements builder and enhancements. Refinements are non-breaking changes but you may see some changed results in your unit test of operations involving unknown values. - **Updated `packer-sdc fix`**: to upgrade the replace version for github.com/nywilken/go-cty from v1.12.1 to v1.13.3. #### What's Changed ##### Exciting New Features 🎉 - Add capability to specify additional build args to be executed when running acceptance tests against builders by [@​lbajolet-hashicorp](https://togithub.com/lbajolet-hashicorp) in [https://github.com/hashicorp/packer-plugin-sdk/pull/202](https://togithub.com/hashicorp/packer-plugin-sdk/pull/202) - Bump supported version of go-cty to v1.13.3 by [@​nywilken](https://togithub.com/nywilken) in [https://github.com/hashicorp/packer-plugin-sdk/pull/215](https://togithub.com/hashicorp/packer-plugin-sdk/pull/215) ##### Security Changes - Bump go-getter to v2.2.1 by [@​zliang-akamai](https://togithub.com/zliang-akamai) in [https://github.com/hashicorp/packer-plugin-sdk/pull/200](https://togithub.com/hashicorp/packer-plugin-sdk/pull/200) - Address reported CVEs along with Go toolchain vulnerabilities by [@​nywilken](https://togithub.com/nywilken) in [https://github.com/hashicorp/packer-plugin-sdk/pull/208](https://togithub.com/hashicorp/packer-plugin-sdk/pull/208), [https://github.com/hashicorp/packer-plugin-sdk/pull/213](https://togithub.com/hashicorp/packer-plugin-sdk/pull/213) ##### Bug Fixes🧑🔧 🐞 - Fix issue where packer-sdc mapstructure-to-hcl was incorrectly mixing underlying structs for types with similar mapstructure tags by [@​nywilken](https://togithub.com/nywilken) in [https://github.com/hashicorp/packer-plugin-sdk/pull/212](https://togithub.com/hashicorp/packer-plugin-sdk/pull/212) - hcl2helper: preemptively panic on nil hcl spec by [@​lbajolet-hashicorp](https://togithub.com/lbajolet-hashicorp) in [https://github.com/hashicorp/packer-plugin-sdk/pull/204](https://togithub.com/hashicorp/packer-plugin-sdk/pull/204) ##### Other Changes - packer-sdc/struct-markdown: Allow packer-internal as project directory for testing purposes by [@​nywilken](https://togithub.com/nywilken) in [https://github.com/hashicorp/packer-plugin-sdk/pull/218](https://togithub.com/hashicorp/packer-plugin-sdk/pull/218) #### New Contributors - [@​zliang-akamai](https://togithub.com/zliang-akamai) made their first contribution in [https://github.com/hashicorp/packer-plugin-sdk/pull/200](https://togithub.com/hashicorp/packer-plugin-sdk/pull/200) **Full Changelog**: hashicorp/packer-plugin-sdk@v0.5.1...v0.5.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/hetznercloud/packer-plugin-hcloud). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41OS44IiwidXBkYXRlZEluVmVyIjoiMzcuNTkuOCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: jo <[email protected]>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.