Skip to content

Vulnerabilities due to go1.20 #115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Jakub-PMX opened this issue Mar 18, 2024 · 2 comments
Closed

Vulnerabilities due to go1.20 #115

Jakub-PMX opened this issue Mar 18, 2024 · 2 comments

Comments

@Jakub-PMX
Copy link 

> grype version  
Application:         grype
Version:             0.74.7
BuildDate:           2024-02-26T18:24:14Z
GitCommit:           987238519b8d6e302130ab715f20daed6634da68
GitDescription:      v0.74.7
Platform:            darwin/amd64
GoVersion:           go1.21.7
Compiler:            gc
Syft Version:        v0.105.1
Supported DB Schema: 5
> grype aws-lambda-rie

NAME    INSTALLED  FIXED-IN  TYPE       VULNERABILITY   SEVERITY 
stdlib  go1.20.14            go-module  CVE-2024-24785  Unknown   
stdlib  go1.20.14            go-module  CVE-2024-24784  Unknown   
stdlib  go1.20.14            go-module  CVE-2024-24783  Unknown   
stdlib  go1.20.14            go-module  CVE-2023-45290  Unknown   
stdlib  go1.20.14            go-module  CVE-2023-45289  Unknown

When tried to upgrade to Go 1.21 (although I am not that familiar with Go), the build of the binary went through with compile-with-docker command and grype aws-lambda-rie reported not vulnerabilities.

Here is the diff:

diff --git a/Makefile b/Makefile
index 80ccb89..1916dae 100644
--- a/Makefile
+++ b/Makefile
@@ -21,7 +21,7 @@ compile-lambda-linux-all:
        make ARCH=old compile-lambda-linux
 
 compile-with-docker:
-       docker run --env GOPROXY=direct -v $(shell pwd):/LambdaRuntimeLocal -w /LambdaRuntimeLocal golang:1.20 make ARCH=${ARCH} compile-lambda-linux
+       docker run --env GOPROXY=direct -v $(shell pwd):/LambdaRuntimeLocal -w /LambdaRuntimeLocal golang:1.21 make ARCH=${ARCH} compile-lambda-linux
 
 compile-lambda-linux:
        CGO_ENABLED=0 GOOS=linux GOARCH=${GO_ARCH_${ARCH}} go build -buildvcs=false -ldflags "${RELEASE_BUILD_LINKER_FLAGS}" -o ${DESTINATION_${ARCH}} ./cmd/aws-lambda-rie
diff --git a/go.mod b/go.mod
index 990a7dd..954c4de 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module go.amzn.com
 
-go 1.20
+go 1.21
 
 require (
        github.com/aws/aws-lambda-go v1.41.0
@@ -16,7 +16,7 @@ require (
        github.com/davecgh/go-spew v1.1.1 // indirect
        github.com/pmezard/go-difflib v1.0.0 // indirect
        github.com/stretchr/objx v0.5.0 // indirect
-       golang.org/x/net v0.18.0 // indirect
-       golang.org/x/sys v0.14.0 // indirect
+       golang.org/x/net v0.22.0 // indirect
+       golang.org/x/sys v0.18.0 // indirect
        gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
index 0ea11d6..005de80 100644
--- a/go.sum
+++ b/go.sum
@@ -22,15 +22,16 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
 golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@Jakub-PMX Jakub-PMX changed the title Vulnerabilities due go1.20 Vulnerabilities due to go1.20 Mar 18, 2024
@valerena
Copy link
Contributor

Hi. Thanks for the report. We recently updated to the latest version in Go 1.20, but we might have to update to 1.21 like you mention. We'll take a look.

@valerena valerena mentioned this issue Mar 18, 2024
Merged
@valerena
Copy link
Contributor

New version released using Go 1.21.8 https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/tag/v1.17

No vulnerabilities found on this version with grype.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@valerena @Jakub-PMX