Recently github.com Dependabot complained on some dependencies in my project which are vulnerable to DOS, have a "Broken or Risky Cryptographic Algorithm", and have a bug with "Uncontrolled Resource Consumption".
Specifically, it is warning me about CVE-2022-27664 for golang.org/x/net module, CVE-2022-27191 and CVE-2022-32149 for others.
What I did is to run "go get -u" on all the modules used there. Obviously, it didn't solve the problem. Then I started to look for module depndencies with "go graph". It took a while, and here is the dependency sequence I've found:
google.golang.org/[email protected] =>
[email protected] =>
google.golang.org/[email protected] =>
github.com/envoyproxy/[email protected] =>
google.golang.org/[email protected] =>
golang.org/x/[email protected] =>
google.golang.org/[email protected] =>
golang.org/x/[email protected]
Which means that the most modern and updated google.golang.org/api package from Mar 17, 2023 cause dependency on the golang.org/x/net from 2018.
I see a lot of dependencies on the old net module from other google packages:
cloud.google.com/go/[email protected] golang.org/x/[email protected]
github.com/googleapis/gax-go/[email protected] golang.org/x/[email protected]
[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
google.golang.org/[email protected] golang.org/x/[email protected]
I've checked github.com/googleapis/google-api-go-client repository and found this issue https://github.com/googleapis/google-api-go-client/issues/1048
I says about the same problem, but later user hashier says that since go list -m all command shows the latest version it's not an issue.
So, the main question is: Is that an issue or not and why?
I just don't know what should be fixed here, github Dependabot checks or google-api-go-client module dependecies.
Time to answer this.
As I found out experimenting with go mod graph checking all the packages in my project one by one in a separate draft repository, these vulnerable dependencies were coming from another repository: github.com/go-gorm/postgres.
So, I mistaken determining were vulnerable dependencies come from. Obviously it was due to enormous dependencies graph:
[0] $ go mod graph | wc
667 1334 56113
If someone is looking for a way to visualize project dependencies, here it is:
go mod graph | modgv | dot -Tsvg -o graph.svg
Turning back to the initial problem. It was caused by the old version of Go used in github.com/go-gorm/postgres. As I understood, the only way to fix it is to upgrade Go version to 1.18. If the version is lower, go mod graph shows a lot of vulnerable packages.