Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update golang crypto library dependency #815

Merged
merged 2 commits into from Feb 11, 2022
Merged

update golang crypto library dependency #815

merged 2 commits into from Feb 11, 2022

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Feb 11, 2022
edited

Resolves:
https://security.archlinux.org/CVE-2021-43565

20210921155107-089bfa567519 < v0.0.0-20211202192323-5770296d904e

Bump to 2022xxx

Signed-off-by: Christopher Phillips christopher.phillips@anchore.com

@spiffcs
bump golang crypto to resolve CVE-2020-29652
03d218f 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
go mod tidy
d935ec1 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@github-actions
Copy link

github-actions bot commented Feb 11, 2022
edited

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.61ms ± 4%    1.70ms ± 7%    ~     (p=0.151 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            3.66ms ± 2%    4.00ms ±11%  +9.06%  (p=0.032 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2    1.26ms ± 2%    1.28ms ±10%    ~     (p=1.000 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         989µs ± 3%    1014µs ± 4%    ~     (p=0.222 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                    1.15ms ± 2%    1.22ms ± 5%  +5.38%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                     1.05ms ± 2%    1.06ms ± 3%    ~     (p=0.421 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      26.9ms ± 2%    28.2ms ± 4%    ~     (p=0.056 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.56ms ± 4%    1.56ms ± 5%    ~     (p=0.841 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          2.44µs ± 1%    2.40µs ± 3%    ~     (p=0.095 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               252kB ± 0%     253kB ± 0%  +0.19%  (p=0.016 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            1.06MB ± 0%    1.07MB ± 0%  +0.18%  (p=0.008 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     253kB ± 0%     253kB ± 0%  +0.16%  (p=0.016 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         208kB ± 0%     208kB ± 0%  +0.19%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     254kB ± 0%     254kB ± 0%  +0.18%  (p=0.032 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      236kB ± 0%     236kB ± 0%    ~     (p=0.690 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      4.18MB ± 0%    4.19MB ± 0%    ~     (p=0.151 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.30MB ± 0%    1.30MB ± 0%  +0.06%  (p=0.032 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            608B ± 0%      608B ± 0%    ~     (all equal)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               6.33k ± 0%     6.33k ± 0%    ~     (all equal)
ImagePackageCatalogers/python-package-cataloger-2             21.4k ± 0%     21.4k ± 0%    ~     (p=0.413 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     7.25k ± 0%     7.25k ± 0%    ~     (p=1.000 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         5.36k ± 0%     5.36k ± 0%    ~     (all equal)
ImagePackageCatalogers/dpkgdb-cataloger-2                     7.10k ± 0%     7.10k ± 0%    ~     (all equal)
ImagePackageCatalogers/rpmdb-cataloger-2                      6.82k ± 0%     6.82k ± 0%    ~     (all equal)
ImagePackageCatalogers/java-cataloger-2                       86.8k ± 0%     86.8k ± 0%    ~     (p=0.548 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      7.37k ± 0%     7.37k ± 0%    ~     (p=0.238 n=5+4)
ImagePackageCatalogers/go-module-binary-cataloger-2            14.0 ± 0%      14.0 ± 0%    ~     (all equal)

@spiffcs spiffcs changed the title bump golang crypto to resolve CVE-2020-29652 bump golang crypto usage Feb 11, 2022
@spiffcs spiffcs requested a review from a team February 11, 2022 18:32
@spiffcs spiffcs changed the title bump golang crypto usage update golang crypto library dependency Feb 11, 2022
@spiffcs spiffcs merged commit e1e9ccb into main Feb 11, 2022
@spiffcs spiffcs deleted the update-crypto branch February 11, 2022 18:36
spiffcs added a commit that referenced this pull request Feb 17, 2022
@spiffcs
Merge branch '510-attach-sbomb-attestation' of https://github.com/anc…
6c2fe7d 
…hore/syft into 510-attach-sbomb-attestation

* '510-attach-sbomb-attestation' of https://github.com/anchore/syft:
  Upgrade install.sh to support installations for previous versions (#830)
  remove duplicate manifest lines (#828)
  bump stereoscope to include functional options (#823)
  update golang crypto library dependency (#815)
  deduplicate SPDX tag-value package IDs (#813)
  Add pURL generation for java packages + fix NPM pURL generation (#812)
spiffcs added a commit that referenced this pull request Feb 17, 2022
@spiffcs
Merge branch 'main' into 510-attach-sbomb-attestation
4f46f92 
* main:
  Upgrade install.sh to support installations for previous versions (#830)
  remove duplicate manifest lines (#828)
  bump stereoscope to include functional options (#823)
  update golang crypto library dependency (#815)
  deduplicate SPDX tag-value package IDs (#813)
  Add pURL generation for java packages + fix NPM pURL generation (#812)

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
spiffcs added a commit that referenced this pull request Feb 18, 2022
@spiffcs
update golang crypto library dependency (#815)
578463a 
* bump golang crypto to resolve CVE-2020-29652

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* go mod tidy

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs
update golang crypto library dependency (anchore#815)
05b5513 
* bump golang crypto to resolve CVE-2020-29652

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* go mod tidy

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@spiffcs @wagoodman