github.com/golang/protobuf/proto was deprecated

[ebilling]

The library github.com/golang/protobuf/proto was deprecated over a year ago.

The new home is google.golang.org/protobuf/proto

Also, "github.com/golang/protobuf/jsonpb" has been deprecated by "google.golang.org/protobuf/encoding/protojson"

I have updated quite a few repos recently and I'll try to get a PR to you soon.

[kaitlinr]

I'd just like to bump this issue! We're seeing some security vulns from this package related to golang.org/x/crypto and golang.org/x/text.

I think this would also involve updating DataDog/sketches-go to 1.3.0. This means #1051 would need to be merged first.

[dianashevchenko]

#1051 is now merged, we'll bump protobuf in a moment 🙌

[radykal-com]

Any update on this? the deprecated protobuf module is still in go.mod

[dogeviper]

Hi, seems like the deprecated libraries are still here. Any update as to when the fix will be pushed out?

Seeing the following vulnerabilities:

http://golang.org/x/crypto/ssh - Improper Signature Verification
Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › github.com/hashicorp/consul/api@v1.0.0 › github.com/hashicorp/serf@v0.8.2 › github.com/hashicorp/mdns@v1.0.0 › golang.org/x/crypto@v0.0.0-20181029021203-45a5f77698d3

Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › k8s.io/client-go@v0.17.0 › github.com/gophercloud/gophercloud@v0.1.0 › golang.org/x/crypto@v0.0.0-20190211182817-74369b46fc67
Fixed in golang.org/x/crypto/ssh@0.0.0-20200220183623-bac4c82f6975

http://github.com/emicklei/go-restful - Authorization Bypass
Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › k8s.io/api@v0.17.0 › k8s.io/apimachinery@v0.17.0 › k8s.io/kube-openapi@v0.0.0-20191107075043-30be4d16710a › github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633
Fixed in github.com/emicklei/go-restful@2.16.0

http://github.com/emicklei/go-restful/v3 - Authorization Bypass
Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › k8s.io/api@v0.17.0 › k8s.io/apimachinery@v0.17.0 › k8s.io/kube-openapi@v0.0.0-20191107075043-30be4d16710a › github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633
Fixed in github.com/emicklei/go-restful/v3@3.8.0

http://github.com/emicklei/go-restful/v3 - Authorization Bypass Through User-Controlled Key
Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › k8s.io/api@v0.17.0 › k8s.io/apimachinery@v0.17.0 › k8s.io/kube-openapi@v0.0.0-20191107075043-30be4d16710a › github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633
Fixed in github.com/emicklei/go-restful/v3@3.8.0

http://golang.org/x/net/html - Denial of Service (DoS)
Introduced through: gopkg.in/DataDog/dd-trace-go.v1@v1.49.1 › k8s.io/api@v0.17.0 › k8s.io/apimachinery@v0.17.0 › k8s.io/kube-openapi@v0.0.0-20191107075043-30be4d16710a › golang.org/x/net@v0.0.0-20170114055629-f2499483f923
Fixed in golang.org/x/net/html@0.0.0-20190125002852-4b62a64f59f7

@dianashevchenko fyi

[katiehockman]

We use govulncheck as the source of truth for possible vulnerabilities in our code. So that means that our go.mod file could require a version of a module that has a vulnerability in a part of the module which isn't reachable from our code. We do this to avoid requiring a higher version in our go.mod file than what is required for users to rely on our code in a secure way.

https://github.com/DataDog/dd-trace-go/blob/main/SECURITY.md#reporting-a-vulnerability

However, if the tool has missed any vulnerabilities that you feel could affect customers, please file a support ticket so we can address that quickly.

[katiehockman]

As far as upgrading github.com/golang/protobuf/proto, we are actively looking into that and will loop back around soon.

[zarirhamza]

Just jumping in real quick - We’re looking into right now and it seems that since we support an older version of one of the grpc libraries, we’re unable to remove the dependency right away without looking into some alternatives. Rest assured we are looking into it and will continue to keep you updated.