Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-3075

Resolve CVE-2023-48795 on v1 and master

    • Type: Icon: Task Task
    • Resolution: Duplicate
    • Priority: Icon: Unknown Unknown
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

      Context

      Dependabot is a feature of GitHub whose main purpose is to assist developers in staying on top of their dependency ecosystem.

      Recently, Dependabot made multiple PRs to resolve CVE-2023-48795 in the Go Driver, which would require that we bump golang.org/x/crypto to v0.17.0. However, this version of crypto has taken a dependency on golang.org/x/text@0.14.0 which has a minimum version of Go 1.18. That means that we cannot merge this change into v1 without breaking our support for Go 1.13. For more details see the commit for fixing the CVE golang/crypto@9d2ee97 and the commit to update the Go directives in golang.org/x/test@6c97a16.

      Definition of done

      Either bump the minimum Go Version to 1.18 OR close the PRs that target v1:

      If the latter is chosen, two things need to be done: (1) Document the security vulnerability on the v1 branch, and (2) by default, Dependabot checks for manifest files on the default branch and raises pull requests for version updates against this branch. We should add .github/dependabot.yml that targets master only:

      version: 2
      updates:
        - package-ecosystem: "gomod"
          directory: "/"
          target-branch: "master"
      

      In either event, we may want to add the config regardless to ensure PRs are opened for both branches going forward:

      version: 2
      updates:
        - package-ecosystem: "gomod"
          directory: "/"
          target-branch: "master"
        - package-ecosystem: "gomod"
          directory: "/"
          target-branch: "v1"
      

            Assignee:
            Unassigned Unassigned
            Reporter:
            preston.vasquez@mongodb.com Preston Vasquez
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: