Upgrade go dependencies to fix included CVE

go.mod references cobra dependency with version spf13/cobra v0.0.5 while version v1.2.1 is now available.

Cobra version 0.0.5 imports an outdated version of spf13/viper (v1.3.2 vs 1.8.1) which in turns imports an outdated version of (coreos/etcd v3.3.10+incompatible) which suffers the following CVE:
CVE-2020-15115 (Critical)
CVE-2020-15114 (Critical)
CVE-2020-15136 (Severe)

Upgrading depencies would remove the CVEs

What version of Go are you using (go version)?

$ go version1.17.3

What operating system are you using?

What version of Badger are you using?

dgraph-io/badger v3.2103.2

Does this issue reproduce with the latest master?

Yes

Steps to Reproduce the issue

Use go mod graph to review dependencies check they do not include

What Badger options were set?

N/A

What did you do?

go get the latest badger version and check vulnerabilities from dependencies

Revelant extract from go mod graph:

github.com/spf13/viper@v1.3.2 github.com/coreos/etcd@v3.3.10+incompatible
github.com/spf13/cobra@v0.0.5 github.com/spf13/viper@v1.3.2
github.com/dgraph-io/badger/v3@v3.2103.2 github.com/spf13/cobra@v0.0.5

What did you expect to see?

No fixed CVE reported in used dependencies

What did you see instead?

fixed CVE in later version of dependencies

Since upgrading the go module dependencies would fix this security issue and is fairly easy to perform, is there any chance to have a fixed version soon ?

If needed, i can provide help in performing the required changes: just le me know how to proceed.

I am a bit surprised since:

  1. this is regarding a severe CVE caused by project using a deprecated module (cobra v0)
  2. it’s been almost 2 months since issue was reported

Does it mean security isn’t a priority for this project ?

Let me know

Make the PR, the dgraph team is very small now.

Submitted PR dependencies version upgrade by cboitel · Pull Request #1768 · dgraph-io/badger · GitHub

1 Like