actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-11-05 19:45:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
gosec/.github/workflows
History
Sebastiaan van Stijn ed386818fd
go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880) 
* gha: remove go1.17, temporarily force 1.18.7, 1.19.2

The  security scanner is flagging the code to have a vulnerability, but it's
detecting that we're running go1.18.6, not "latest" (go1.18.7 at time of writing).

Temporarily pinning to go1.18.7 to force installing the latest version:

    Vulnerability #1: GO-2022-1039
      Programs which compile regular expressions from untrusted
      sources may be vulnerable to memory exhaustion or denial of
      service. The parsed regexp representation is linear in the size
      of the input, but in some cases the constant factor can be as
      high as 40,000, making relatively small regexps consume much
      larger amounts of memory. After fix, each regexp being parsed is
      limited to a 256 MB memory footprint. Regular expressions whose
      representation would use more space than that are rejected.
      Normal use of regular expressions is unaffected.

      Call stacks in your code:
      Error:       helpers.go:463:26: github.com/securego/gosec/v2.ExcludedDirsRegExp calls regexp.MustCompile, which eventually calls regexp/syntax.Parse

      Found in: regexp/syntax@go1.18.6
      Fixed in: regexp/syntax@go1.19.2
      More info: https://pkg.go.dev/vuln/GO-2022-1039

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* go.mod: github.com/onsi/ginkgo/v2 v2.3.1

CI was failing because of a mismatch:

    /home/runner/go/bin/ginkgo -v --fail-fast
    Ginkgo detected a version mismatch between the Ginkgo CLI and the version of Ginkgo imported by your packages:
      Ginkgo CLI Version:
        2.3.1
      Mismatched package versions found:
       2.2.0 used by gosec

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* go.mod: golang.org/x/text v0.3.8

to address GO-2022-1059

    The vulnerabilities below are in packages that you import, but your code
    doesn't appear to call any vulnerable functions. You may not need to take any
    action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
    for details.

    Vulnerability #1: GO-2022-1059
      An attacker may cause a denial of service by crafting an Accept-Language
      header which ParseAcceptLanguage will take significant time to parse.

      Found in: golang.org/x/text/language@v0.3.7
      Fixed in: golang.org/x/text/language@v0.3.8
      More info: https://pkg.go.dev/vuln/GO-2022-1059

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 10:05:13 +02:00
..
ci.yml go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880) 2022-10-17 10:05:13 +02:00
release.yml chore: add support for Go 1.19 2022-08-08 10:56:19 +02:00
scan.yml chore(deps): update all dependencies (#811) 2022-05-02 21:00:33 +02:00