Versions Compared

Old Version 6

changes.mady.by.user John

Saved on

compared with

New Version 7

changes.mady.by.user John

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
./gradlew build

Using GOMOD to Visualize Dependencies

Install gomod - https://github.com/Helcaraxan/gomod

Code Block
go install github.com/Helcaraxan/gomod@latest

Install graphwiz - https://www.graphviz.org/download/

On Mac:

Code Block
echo 'eval "$(/opt/homebrew/bin/brew shellenv)"' >> ~/.zprofile
brew install graphviz

Usage

Code Block
gomod graph | dot -Tpng -o out.png
open out.png

Example using filter and including tests:

Code Block
gomod graph 'rdeps(cloud.google.com/go/storage:test)' | dot -Tpng -o out.png
open out.jpg

Image Removed

Can't Find the Dependency?

Code Block
go mod graph |grep <dependency>


Can't Find the Dependency?


Code Block
go mod graph |grep <dependency>


Example - Find out who is using storage@v1.14.0

Code Block
$ go mod graph |grep storage |grep 1.14.0

github.com/spf13/afero@v1.8.2 cloud.google.com/go/storage@v1.14.0                              <-- pulled in by afero 
cloud.google.com/go/storage@v1.14.0 cloud.google.com/go@v0.75.0
cloud.google.com/go/storage@v1.14.0 github.com/golang/protobuf@v1.4.3
cloud.google.com/go/storage@v1.14.0 github.com/google/go-cmp@v0.5.4
cloud.google.com/go/storage@v1.14.0 github.com/googleapis/gax-go/v2@v2.0.5
cloud.google.com/go/storage@v1.14.0 golang.org/x/mod@v0.4.1
cloud.google.com/go/storage@v1.14.0 golang.org/x/oauth2@v0.0.0-20210218202405-ba52d332ba99
cloud.google.com/go/storage@v1.14.0 golang.org/x/sys@v0.0.0-20210225134936-a50acf3fe073
cloud.google.com/go/storage@v1.14.0 golang.org/x/tools@v0.1.0
cloud.google.com/go/storage@v1.14.0 google.golang.org/api@v0.40.0
cloud.google.com/go/storage@v1.14.0 google.golang.org/genproto@v0.0.0-20210226172003-ab064af71705
cloud.google.com/go/storage@v1.14.0 google.golang.org/grpc@v1.35.0

$ go mod graph |grep afero

kafka-azure-sink github.com/spf13/afero@v1.8.2
github.com/spf13/afero@v1.8.2 cloud.google.com/go/storage@v1.14.0
github.com/spf13/afero@v1.8.2 github.com/googleapis/google-cloud-go-testing@v0.0.0-20200911160855-bcd43fbb19e8
github.com/spf13/afero@v1.8.2 github.com/pkg/sftp@v1.13.1
github.com/spf13/afero@v1.8.2 golang.org/x/crypto@v0.0.0-20211108221036-ceb1ce70b4fa
github.com/spf13/afero@v1.8.2 golang.org/x/oauth2@v0.0.0-20210218202405-ba52d332ba99
github.com/spf13/afero@v1.8.2 golang.org/x/text@v0.3.4
github.com/spf13/afero@v1.8.2 google.golang.org/api@v0.40.0
github.com/spf13/viper@v1.13.0 github.com/spf13/afero@v1.8.2                                 <--- pulled in by viper



Now that we have found the import that we are using, we can check to see if the library can be updated to a newer version. If not, we need to see if the error is really a problem.


Is the CVE a problem?

Code Block
File Path: /Users/john/projects/netguard_cyberdome/services/kafka-azure-sink/go.mod:cloud.google.com/go/storage/1.14.0

CVE-2021-20291

A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).


In the above section, we found that storage@1.14.0 is used by afero@v1.8.2 which is used by viper@v1.13.0.

We use viper for reading our environment variables. We do not use viper with an afero file system, so we can confidently suppress this vulnerability.


From the dependency-check-report.html we can click on the suppress button and copy the text to our owasp-suppressions.xml file.

Image Added


It is best to add some information around why we suppressed the vulnerability.


code
Code Block
titleowasp-suppressions.xml
<suppressions>
...
   <suppress>
      <notes><![CDATA[
      file name: cloud.google.com/go/storage:1.14.0
      github.com/spf13/afero@v1.8.2 included as port of github.com/spf13/viper@v1.13.0
      We are not using the afero filesystem with viper.
      ]]></notes>
      <packageUrl regex="true">^pkg:golang/cloud\.google\.com/go/storage@.*$</packageUrl>
      <cve>CVE-2021-20291</cve>
   </suppress>

</suppressions>