gosec/go.mod

28 lines
908 B
Modula-2
Raw Normal View History

module github.com/securego/gosec/v2
require (
github.com/google/uuid v1.3.0
2022-09-05 03:54:08 +01:00
github.com/gookit/color v1.5.2
2022-09-12 02:46:14 +01:00
github.com/lib/pq v1.10.7
github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5
2021-03-01 08:45:00 +00:00
github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354
go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880) * gha: remove go1.17, temporarily force 1.18.7, 1.19.2 The security scanner is flagging the code to have a vulnerability, but it's detecting that we're running go1.18.6, not "latest" (go1.18.7 at time of writing). Temporarily pinning to go1.18.7 to force installing the latest version: Vulnerability #1: GO-2022-1039 Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. Call stacks in your code: Error: helpers.go:463:26: github.com/securego/gosec/v2.ExcludedDirsRegExp calls regexp.MustCompile, which eventually calls regexp/syntax.Parse Found in: regexp/syntax@go1.18.6 Fixed in: regexp/syntax@go1.19.2 More info: https://pkg.go.dev/vuln/GO-2022-1039 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * go.mod: github.com/onsi/ginkgo/v2 v2.3.1 CI was failing because of a mismatch: /home/runner/go/bin/ginkgo -v --fail-fast Ginkgo detected a version mismatch between the Ginkgo CLI and the version of Ginkgo imported by your packages: Ginkgo CLI Version: 2.3.1 Mismatched package versions found: 2.2.0 used by gosec Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * go.mod: golang.org/x/text v0.3.8 to address GO-2022-1059 The vulnerabilities below are in packages that you import, but your code doesn't appear to call any vulnerable functions. You may not need to take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details. Vulnerability #1: GO-2022-1059 An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. Found in: golang.org/x/text/language@v0.3.7 Fixed in: golang.org/x/text/language@v0.3.8 More info: https://pkg.go.dev/vuln/GO-2022-1059 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 09:05:13 +01:00
github.com/onsi/ginkgo/v2 v2.3.1
github.com/onsi/gomega v1.22.1
golang.org/x/crypto v0.0.0-20221012134737-56aed061732a
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880) * gha: remove go1.17, temporarily force 1.18.7, 1.19.2 The security scanner is flagging the code to have a vulnerability, but it's detecting that we're running go1.18.6, not "latest" (go1.18.7 at time of writing). Temporarily pinning to go1.18.7 to force installing the latest version: Vulnerability #1: GO-2022-1039 Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. Call stacks in your code: Error: helpers.go:463:26: github.com/securego/gosec/v2.ExcludedDirsRegExp calls regexp.MustCompile, which eventually calls regexp/syntax.Parse Found in: regexp/syntax@go1.18.6 Fixed in: regexp/syntax@go1.19.2 More info: https://pkg.go.dev/vuln/GO-2022-1039 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * go.mod: github.com/onsi/ginkgo/v2 v2.3.1 CI was failing because of a mismatch: /home/runner/go/bin/ginkgo -v --fail-fast Ginkgo detected a version mismatch between the Ginkgo CLI and the version of Ginkgo imported by your packages: Ginkgo CLI Version: 2.3.1 Mismatched package versions found: 2.2.0 used by gosec Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * go.mod: golang.org/x/text v0.3.8 to address GO-2022-1059 The vulnerabilities below are in packages that you import, but your code doesn't appear to call any vulnerable functions. You may not need to take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details. Vulnerability #1: GO-2022-1059 An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. Found in: golang.org/x/text/language@v0.3.7 Fixed in: golang.org/x/text/language@v0.3.8 More info: https://pkg.go.dev/vuln/GO-2022-1059 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 09:05:13 +01:00
golang.org/x/text v0.3.8
golang.org/x/tools v0.1.12
gopkg.in/yaml.v2 v2.4.0
)
require (
github.com/google/go-cmp v0.5.8 // indirect
github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
go 1.19