build(deps): bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 #7086
Conversation
|
|
|
Fixes GHSA-vrw8-fxc6-2r93 |
|
FWIW, Caddy isn't affected by the mentioned vuln. |
Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.2.1 to 5.2.2. - [Release notes](https://github.com/go-chi/chi/releases) - [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md) - [Commits](go-chi/chi@v5.2.1...v5.2.2) --- updated-dependencies: - dependency-name: github.com/go-chi/chi/v5 dependency-version: 5.2.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
3c0d34d to
46aa03a
Compare
|
I am getting hit by security scans on a caddy-server based repo, the reported issue will be fixed by this one. Is there a problem with merging this one? |
There isn't much of a blocker besides us configuring an SLA exception for dependabot and merging the PR. However, for Caddy, the security alert is a false-positive. Caddy isn't affected by the vuln in Chi due to how we're using it. The Host-header routing is completely managed by Caddy before passing off the request to Chi. Out of curiosity, which scanner is flagging this? The standard vuln scanner of Go is govulncheck, which we have in our CI, isn't flagging this vuln as impacting us. |
|
@mohammed90 docker image scanners like trivy or docker scout are flagging this (among other things): |
|
I can't link to the scan since it's inside a private repo, but the tool being used is twistlock some details about the error: |
|
I see. So as mentioned earlier, the vulnerable code is not reachable or effective in the case of Caddy due to how we use Chi. Most vuln scanners are naive and don't take execution path in consideration. For Go ecosystem, the Go team provides a tool that properly takes execution path in consideration, which they discuss in their blog post Vulnerability Management for Go. We use govulncheck in CI. It doesn't report the referenced vuln. This proves the issue doesn't impact Caddy. Scout and Trivy are more naive in their analysis, so they flag any mention of the package within a binary, regardless of the execution path, which merely adds burden without effective security gain. To react to their reports merely to silence them gives legitimacy to false warnings. Nothing stops them from yelling about completely unrelated vulns. Scout and Trivy are open-source, and we can give them feedback on their tools. In fact, Trivy is able to take the output of govulncheck into consideration for reporting when invoked in a specific way. For Twistlock, we cannot give them that feedback. If you're a customer of theirs, share the feedback with them. We'll eventually merge the PR and upgrade the reported package, but understand that with this upgrade or not, the vuln is not possible in Caddy at all. |
Bumps github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2.
Release notes
Sourced from github.com/go-chi/chi/v5's releases.
Commits
23c395fCorrect documentation (#992)5516d14docs: change install code to code block (#1001)e235052Make use of strings.Cut (#1005)1be7ad9Merge commit from forkd7034fdExclude profiler when use tinygo (#982)d047034support tinygo (#978)fe2c065Fixed the typo (#958)1aae5b2chore: delint ioutil usage (#962)c6225e3go 1.24 (#977)e846b83Apply fieldalignment fixes to optimize struct memory layout (#974)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.