You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Scanning your code and 1692 packages across 318 dependent modules for known vulnerabilities...
Vulnerability #1: GO-2024-2611
Infinite loop in JSON unmarshaling in google.golang.org/protobuf
More info: https://pkg.go.dev/vuln/GO-2024-2611
Module: google.golang.org/protobuf
Found in: google.golang.org/[email protected]
Fixed in: google.golang.org/[email protected]
Example traces found:
#1: services/store/pkg/service/v0/service.go:92:31: service.Service.Read calls protojson.Unmarshal, which eventually calls json.Decoder.Peek
#2: services/store/pkg/service/v0/service.go:92:31: service.Service.Read calls protojson.Unmarshal, which eventually calls json.Decoder.Read
#3: services/store/pkg/service/v0/service.go:92:31: service.Service.Read calls protojson.Unmarshal
#4: protogen/gen/ocis/services/settings/v0/settings.pb.web.go:1486:59: settings.GetPermissionByIDResponse.UnmarshalJSON calls jsonpb.Unmarshaler.Unmarshal, which eventually calls protojson.UnmarshalOptions.Unmarshal
Vulnerability #2: GO-2024-2610
Errors returned from JSON marshaling may break template escaping in
html/template
More info: https://pkg.go.dev/vuln/GO-2024-2610
Standard library
Found in: html/[email protected]
Fixed in: html/[email protected]
Example traces found:
#1: services/notifications/pkg/email/email.go:91:23: email.executeTemplate calls template.Template.Execute
#2: services/proxy/pkg/middleware/account_resolver.go:89:19: middleware.accountResolver.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate
Vulnerability #3: GO-2024-2609
Comments in display names are incorrectly handled in net/mail
More info: https://pkg.go.dev/vuln/GO-2024-2609
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Example traces found:
#1: services/notifications/pkg/channels/channels.go:117:98: channels.Mail.SendMessage calls simple.Email.AddTo, which eventually calls mail.Address.String
#2: services/notifications/pkg/channels/channels.go:117:98: channels.Mail.SendMessage calls simple.Email.AddTo, which eventually calls mail.ParseAddress
Vulnerability #4: GO-2024-2600
Incorrect forwarding of sensitive headers and cookies on HTTP redirect in
net/http
More info: https://pkg.go.dev/vuln/GO-2024-2600
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Example traces found:
#1: ocis-pkg/oidc/client.go:238:30: oidc.oidcClient.UserInfo calls http.Client.Do
#2: ocis-pkg/oidc/metadata.go:101:25: oidc.GetIDPMetadata calls http.Client.Get
#3: services/search/pkg/command/health.go:25:25: command.Health calls http.Get
#4: ocis-pkg/oidc/client.go:238:30: oidc.oidcClient.UserInfo calls http.Client.Do, which eventually calls cookiejar.Jar.Cookies
#5: ocis-pkg/oidc/client.go:238:30: oidc.oidcClient.UserInfo calls http.Client.Do, which eventually calls cookiejar.Jar.SetCookies
Vulnerability #5: GO-2024-2599
Memory exhaustion in multipart form parsing in net/textproto and net/http
More info: https://pkg.go.dev/vuln/GO-2024-2599
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Example traces found:
#1: services/antivirus/pkg/scanners/icap.go:59:28: scanners.ICAP.Scan calls icap.Client.Do, which eventually calls textproto.Reader.ReadLine
#2: services/antivirus/pkg/scanners/icap.go:59:28: scanners.ICAP.Scan calls icap.Client.Do, which eventually calls textproto.Reader.ReadMIMEHeader
#3: services/notifications/pkg/channels/channels.go:95:35: channels.Mail.getMailClient calls simple.SMTPServer.Connect, which eventually calls textproto.Reader.ReadResponse
Vulnerability #6: GO-2024-2598
Verify panics on certificates with an unknown public key algorithm in
crypto/x509
More info: https://pkg.go.dev/vuln/GO-2024-2598
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: services/nats/pkg/server/nats/nats.go:27:34: nats.NewNATSServer calls server.NewServer, which eventually calls x509.Certificate.Verify
Your code is affected by 6 vulnerabilities from 1 module and the Go standard library.
Share feedback at https://go.dev/s/govulncheck-feedback.
make: *** [Makefile:279: govulncheck] Error 3
Describe the bug
go-vulnerability-scan is failing CI
Steps to reproduce
Run CI
Expected behavior
go-vulnerability-scan passes
Actual behavior
go-vulnerability-scan fails
https://drone.owncloud.com/owncloud/ocis/32659/9/6
And same for
stable-5.0
https://drone.owncloud.com/owncloud/ocis/32664/9/6
It seems to have started failing last night.
Setup
CI
The text was updated successfully, but these errors were encountered: