Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chartMuseum binary contains High Vulnerable github.com/dgrijalva/jwt-go v3.2.0+incompatible library #567

Open
shubham-in10se opened this issue Mar 21, 2022 · 2 comments · May be fixed by chartmuseum/auth#14
Open

chartMuseum binary contains High Vulnerable github.com/dgrijalva/jwt-go v3.2.0+incompatible library #567

shubham-in10se opened this issue Mar 21, 2022 · 2 comments · May be fixed by chartmuseum/auth#14
Labels
dependencies Pull requests that update a dependency file

Comments

@shubham-in10se
Copy link

Hi,
The chartMuseum binary contains the github.com/dgrijalva/jwt-go v3.2.0+incompatible library with is flagged as a high security risk as it has Access Restriction Bypass Vulnerability.
Ref: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515

The mentioned library is coming as a derived dependency, as is verified by searching for it in the go.mod file. It is because of this vulnerable library that all the images having even the latest chartMuseum binary baked into them are failing the security scans.
@scbizu
Copy link
Contributor

scbizu commented Mar 22, 2022

Thank you , will upgrade it ASAP

@cbuto cbuto mentioned this issue Mar 22, 2022
Closed
@scbizu scbizu added the dependencies Pull requests that update a dependency file label Mar 24, 2022
@scbizu scbizu linked a pull request Mar 24, 2022 that will close this issue
Open
@scbizu
Copy link
Contributor

scbizu commented Mar 24, 2022 

$ go mod why github.com/golang-jwt/jwt
go: downloading github.com/stretchr/testify v1.7.1
# github.com/golang-jwt/jwt
helm.sh/chartmuseum/pkg/chartmuseum/router
github.com/chartmuseum/auth
github.com/golang-jwt/jwt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

all: bump jwt dependency to v4 due to the incompatiblity of v3 chartmuseum/auth
2 participants
@scbizu @shubham-in10se