Upgrade github.com/snowflakedb/gosnowflake to the newer version

[xdingsplk]

Describe the Bug
github.com/snowflakedb/gosnowflake@v1.3.5 has a dependency on github.com/dgrijalva/jwt-go@v3.2.0+incompatible
this version of jwt-go has a vulnerability of:

• allowing attackers to bypass intended access restrictions in situations with []string{} for m["aud"]
  And this will cause a security issue, newer version of gosnowflake remove this dependency

[dhui]

Thanks for the report. It looks like this is the vulnerability you were referring to

[xdingsplk]

Thanks for the commit to fix it

[xdingsplk]

Just a follow up on this. I realized that gosnowflakeDB still has a dependency to this vulnerable jwt-go. They remove the direct dependency but later on they added another dependency which brings it back..

github.com/golang-migrate/migrate/v4@v4.14.2-0.20210521165626-8a1a8534dc64

github.com/snowflakedb/gosnowflake@v1.4.3

github.com/snowflakedb/gosnowflake@v1.4.3 github.com/Azure/azure-storage-blob-go@v0.13.0

github.com/Azure/azure-storage-blob-go@v0.13.0 github.com/Azure/go-autorest/autorest/adal@v0.9.2

github.com/Azure/go-autorest/autorest/adal@v0.9.2 github.com/dgrijalva/jwt-go@v3.2.0+incompatible

[dhui]

Haha! 🤦

Thanks for re-reporting! I've reopened the issue and will keep it open until the upstream dependencies are fixed.
Looks like this is still and issue in v1.5.0

[xdingsplk]

just FYI, my team decided to use "replace" to get rid of the vulnerable code in jwt-go. It was too much for us to track the dependencies all the way down to 4 repos. But we can keep the issue open to track this vulnerability.

[kchodnicki]

The issue still exists:

github.com/dhui/dktest@v0.3.7
- github.com/containerd/containerd@v1.5.7
-- github.com/Microsoft/hcsshim@v0.8.21
--- github.com/containerd/containerd@v1.5.1 (yeah...)
---- k8s.io/component-base@v0.20.6 (also 0.20.1 and 0.20.4)
----- k8s.io/client-go@v0.20.6
------ github.com/Azure/go-autorest/autorest@v0.11.1
------- github.com/Azure/go-autorest/autorest/adal@v0.9.0
-------- github.com/dgrijalva/jwt-go@v3.2.0+incompatible

I know it's only used for testing, but still...
CVE details: https://nvd.nist.gov/vuln/detail/CVE-2020-26160

[zibi94]

And more issues:

The issue still exists:

github.com/dhui/dktest@v0.3.7
- github.com/containerd/containerd@v1.5.7
-- github.com/Microsoft/hcsshim@v0.8.21
--- github.com/containerd/containerd@v1.5.1 (yeah...)
---- k8s.io/component-base@v0.20.6 (also 0.20.1 and 0.20.4)
----- k8s.io/client-go@v0.20.6
------ github.com/Azure/go-autorest/autorest@v0.11.1
------- github.com/Azure/go-autorest/autorest/adal@v0.9.0
-------- github.com/dgrijalva/jwt-go@v3.2.0+incompatible

I know it's only used for testing, but still... CVE details: https://nvd.nist.gov/vuln/detail/CVE-2020-26160

And more issues:

[CVE-2020-8558] The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, ...
[CVE-2019-11248] The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet ...
[CVE-2019-11247] The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custo...
[CVE-2019-11243] Credentials Management
[CVE-2021-25741] A security issue was discovered in Kubernetes where a user may be able to create...
[CVE-2020-8552] The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, ...
[CVE-2019-11253] Improper input validation in the Kubernetes API server in versions v1.0-1.12 and...

-> github.com/golang-migrate/migrate/v4@v4.15.1

--> github.com/dhui/dktest@v0.3.7

---> github.com/containerd/containerd@v1.5.7

----> github.com/containerd/aufs@v1.0.0

-----> github.com/containerd/containerd@v1.5.0-beta.3

------> github.com/Microsoft/hcsshim@v0.8.15

-------> github.com/containerd/containerd@v1.5.0-beta.1

--------> github.com/containerd/aufs@v0.0.0-20200908144142-dab0cbea06f4

----------> github.com/Microsoft/hcsshim@v0.8.7

----------->k8s.io/kubernetes@v1.13.0

[CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox...

-> github.com/golang-migrate/migrate/v4@v4.15.1

--> github.com/dhui/dktest@v0.3.7

---> github.com/containerd/containerd@v1.5.7

----> github.com/containerd/continuity@v0.1.0

-----> github.com/spf13/cobra@v1.0.0

------> github.com/spf13/viper@v1.4.0

-------> github.com/coreos/etcd@v3.3.10+incompatible

[zibi94]

Nancy again found Vulnerabilities:
[CVE-2022-24778] CWE-863: Incorrect Authorization

--> github.com/golang-migrate/migrate/v4@v4.15.2
----> github.com/dhui/dktest@v0.3.10
------> github.com/containerd/containerd@v1.6.1
-------- github.com/containerd/imgcrypt@v1.1.3

sonatype-2021-0853

--> github.com/golang-migrate/migrate/v4@v4.15.2
----> github.com/jackc/pgproto3/v2@v2.0.7

[CVE-2022-29162] CWE-276: Incorrect Default Permissions

--> github.com/golang-migrate/migrate/v4@v4.15.2
----> github.com/dhui/dktest@v0.3.10
------> github.com/containerd/containerd@v1.6.1
--------> github.com/opencontainers/runc@v1.1.0

[CVE-2022-21698] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

--> github.com/golang-migrate/migrate/v4@v4.15.2
----> github.com/dhui/dktest@v0.3.10
------> github.com/containerd/containerd@v1.6.1
---------> github.com/prometheus/client_golang@v1.11.0

[CVE-2020-8558] CWE-287: Improper Authentication
[CVE-2019-11248] CWE-862: Missing Authorization
[CVE-2019-11243] CWE-212: Improper Cross-boundary Removal of Sensitive Data
[CVE-2019-11247] CWE-863: Incorrect Authorization
[CVE-2021-25741] CWE-552: Files or Directories Accessible to External Parties
[CVE-2019-11253] CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
[CVE-2020-8559] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
[CVE-2019-1002100] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
[CVE-2019-11249] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[CVE-2019-11250] CWE-532: Information Exposure Through Log Files
[CVE-2019-11252] CWE-209: Information Exposure Through an Error Message
[CVE-2019-11254] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
[CVE-2020-8551] CWE-770: Allocation of Resources Without Limits or Throttling
[CVE-2021-25735] CWE-863: Incorrect Authorization
[CVE-2019-11251] CWE-59: Improper Link Resolution Before File Access ('Link Following')
[CVE-2020-8566] CWE-532: Information Exposure Through Log Files
[CVE-2020-8557] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
[CVE-2020-8564] CWE-532: Information Exposure Through Log Files
[CVE-2020-8565] CWE-532: Information Exposure Through Log Files
[CVE-2019-1002101] CWE-59: Improper Link Resolution Before File Access ('Link Following')
[CVE-2019-11244] CWE-732: Incorrect Permission Assignment for Critical Resource
[CVE-2020-8554] CWE-863: Incorrect Authorization
[CVE-2021-3636] CWE-287: Improper Authentication
[CVE-2021-25736] CWE-20: Improper Input Validation
[CVE-2020-8552] CWE-770: Allocation of Resources Without Limits or Throttling
[CVE-2020-8561] CWE-610: Externally Controlled Reference to a Resource in Another Sphere
[CVE-2020-8562] CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
[CVE-2021-25740] CWE-610: Externally Controlled Reference to a Resource in Another Sphere
[CVE-2021-25743] CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
[CVE-2018-1002102] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

--> github.com/golang-migrate/migrate/v4@v4.15.2
----> github.com/dhui/dktest@v0.3.10
------> github.com/containerd/containerd@v1.6.1
--------> github.com/Microsoft/hcsshim@v0.8.7
-----------> k8s.io/kubernetes@v1.13.0

sonatype-2019-0702

--> github.com/golang-migrate/migrate/v4@v4.15.2
----> go.mongodb.org/mongo-driver@v1.7.0
------> github.com/gobuffalo/packr/v2@v2.2.0

[serhatperkmen]

Hello folks,

Any update about the vulnerabilities?