Community Learn Tools Library Leisure
search
English
Home > Backend Development > Golang > Golang: How to handle outdated dependency of google.golang.org/api on golang.org/x/net

Golang: How to handle outdated dependency of google.golang.org/api on golang.org/x/net

WBOY
Release: 2024-02-06 08:09:11
forward
878 people have browsed it

Golang:如何处理 google.golang.org/api 对 golang.org/x/net 的过时依赖项

Question content

Recently github.com dependabot complained that some dependencies in my project are vulnerable to DOS attacks and have "corrupt or risky Encryption Algorithm" and there is an "Uncontrolled Resource Consumption" error.

Specifically, it warned me about CVE-2022-27664 for the golang.org/x/net module, CVE-2022-27191 and CVE-2022-32149 for other modules.

What I did was run "go get -u" on all modules used. Obviously, this didn't solve the problem. Then I started using "go graph" to find module dependencies. It took a while and this is the order of dependencies I found: 

google.golang.org/[email protected] =>
[email protected] =>
google.golang.org/[email protected] =>
github.com/envoyproxy/[email protected] =>
google.golang.org/[email protected] =>
golang.org/x/[email protected] =>
google.golang.org/[email protected] =>
golang.org/x/[email protected]
Copy after login

This means that the most modern and updated google.golang.org/api packages from March 17, 2023 will result in golang.org/x/ from 2018 net dependencies.

I found that other Google packages have a lot of dependencies on the old network module: 

cloud.google.com/go/[email protected] golang.org/x/[email protected]
github.com/googleapis/gax-go/[email protected] golang.org/x/[email protected]
[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
Copy after login

I checked the github.com/googleapis/google-api-go-client repository and found this issue https://github.com/googleapis/google-api-go-client/issues/1048 I said the same problem, but then user hashier said that since the go list -m all command shows the latest version, it's not a problem.

So, the main question is: is this a problem and why?

I just don't know what should be fixed here, github dependabot check or google-api-go-client module dependency.


Correct answer


It’s time to answer this question.

When I tried to check all the packages in the project one by one in a separate draft repository using go mod graph, these vulnerable dependencies came from another repository: github .com/go-gorm/postgres.

So, I incorrectly identified where the vulnerable dependency is coming from. Apparently this is due to the huge dependency graph: 

[0] $ go mod graph | wc
    667    1334   56113
Copy after login

If anyone is looking for a way to visualize project dependencies, here it is: 

go mod graph | modgv | dot -Tsvg -o graph.svg
Copy after login

Back to the original question. This is caused by github.com/go-gorm/postgres using an older version of go. As far as I understand, the only way to fix it is to upgrade the go version to 1.18. If the version is lower, go mod graph will show many vulnerable packages.

The above is the detailed content of Golang: How to handle outdated dependency of google.golang.org/api on golang.org/x/net. For more information, please follow other related articles on the PHP Chinese website!

source:stackoverflow.com
Previous article:Form variables are not available in tests Next article:How to pass a structure in slog logger and use its fields automatically?
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...
From 2024-04-29 11:01:01
0
3
2052
How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?
From 2024-04-23 00:22:19
0
11
2207
The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.
From 2024-04-19 15:37:47
0
1
1864
There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...
From 2024-04-18 23:52:34
0
1
1750
Where is the courseware about CSS mind mapping? Courseware
From 2024-04-16 10:10:18
0
0
1772
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template