[GODRIVER-3075] Resolve CVE-2023-48795 on v1 and master Created: 19/Dec/23  Updated: 08/Jan/24  Resolved: 08/Jan/24

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Unknown
Reporter: Preston Vasquez Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates GODRIVER-3082 Bump the minimum Go version to 1.18 In Code Review
Related
is related to GODRIVER-3082 Bump the minimum Go version to 1.18 In Code Review
Documentation Changes Summary:

1. What would you like to communicate to the user about this feature?
2. Would you like the user to see examples of the syntax and/or executable code and its output?
3. Which versions of the driver/connector does this apply to?


 Description   

Context

Dependabot is a feature of GitHub whose main purpose is to assist developers in staying on top of their dependency ecosystem.

Recently, Dependabot made multiple PRs to resolve CVE-2023-48795 in the Go Driver, which would require that we bump golang.org/x/crypto to v0.17.0. However, this version of crypto has taken a dependency on golang.org/x/text@0.14.0 which has a minimum version of Go 1.18. That means that we cannot merge this change into v1 without breaking our support for Go 1.13. For more details see the commit for fixing the CVE golang/crypto@9d2ee97 and the commit to update the Go directives in golang.org/x/test@6c97a16.

Definition of done

Either bump the minimum Go Version to 1.18 OR close the PRs that target v1:

If the latter is chosen, two things need to be done: (1) Document the security vulnerability on the v1 branch, and (2) by default, Dependabot checks for manifest files on the default branch and raises pull requests for version updates against this branch. We should add .github/dependabot.yml that targets master only:

version: 2
updates:
  - package-ecosystem: "gomod"
    directory: "/"
    target-branch: "master"

In either event, we may want to add the config regardless to ensure PRs are opened for both branches going forward:

version: 2
updates:
  - package-ecosystem: "gomod"
    directory: "/"
    target-branch: "master"
  - package-ecosystem: "gomod"
    directory: "/"
    target-branch: "v1"



 Comments   
Comment by Matt Dale [ 02/Jan/24 ]

Right now I think the best approach is to bump min version to 1.18 and take the updated dependencies. We still need to validate the impact of that decision and make sure it won't break a bunch of users.

Comment by Preston Vasquez [ 20/Dec/23 ]

qingyang.hu@mongodb.com matt.dale@mongodb.com would you mind reviewing this ticket before triage to determine which of the two solutions proposed in the description we want to go with: (1) bump v1 to 1.18, (2) close PRs and point Dependabot at master ?

Generated at Thu Feb 08 08:40:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.