Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go.mod: bump gorm.io/driver/postgres to resolve downstream vuln #1865

Merged
merged 11 commits into from
Apr 5, 2023
Merged

go.mod: bump gorm.io/driver/postgres to resolve downstream vuln #1865

merged 11 commits into from
Apr 5, 2023
+156 −209

Conversation

ajgajg1134
Copy link
Contributor

@ajgajg1134 ajgajg1134 commented Apr 4, 2023
edited
Loading

What does this PR do?

Closes #1816
Also, switches the driver used to the microsoft forked version of mssql driver since both drivers register themselves in their init (which means if you accidentally import both as we were now doing since it was changed in gorm it made go sql panic).
On top of that gorm introduced a breaking change here: go-gorm/sqlserver#72 so that version also needed to be updated
ALSO. no clue why but maybe due to a new version of gofmt but lots of lint changes 😭

Motivation

Turns out gorm.io/driver/postgres relied on jackc/pgx/v4 which relied on satori/go.uuid which was vulnerable to bad random data.

Describe how to test/QA your changes

The integration tests should be sufficient here

Reviewer's Checklist

  • Changed code has unit tests for its functionality.
  • If this interacts with the agent in a new way, a system test has been added.

Sorry, something went wrong.

katiehockman
katiehockman reviewed Apr 4, 2023
View reviewed changes
@pr-commenter
Copy link

pr-commenter bot commented Apr 4, 2023
edited
Loading

Benchmarks

Comparing candidate commit d162238 in PR branch andrew.glaude/BumpGORM with baseline commit 1b5ba27 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 18 metrics, 0 unstable metrics.

@ajgajg1134
And also we need newer PGX for gorm
5b0e9c1
@ajgajg1134
Apparently gofmt doesnt like this anymore?
f782b5e
@ajgajg1134
try using pgx instead of postgres
4ed6e1c
@ajgajg1134
jk we totally need pq still

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
f609f40
@ajgajg1134
Merge branch 'main' into andrew.glaude/BumpGORM

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
7ad1013
@ajgajg1134
More gofmt changes????
cf840b0
@ajgajg1134
even more lint
a56dc83
@ajgajg1134 ajgajg1134 marked this pull request as ready for review April 4, 2023 20:47
@ajgajg1134 ajgajg1134 requested a review from a team April 4, 2023 20:47
@ajgajg1134 ajgajg1134 requested a review from a team as a code owner April 4, 2023 20:47
@ajgajg1134 ajgajg1134 merged commit ccb4c6a into main Apr 5, 2023
@ajgajg1134 ajgajg1134 deleted the andrew.glaude/BumpGORM branch April 5, 2023 14:59
@ajgajg1134 ajgajg1134 added this to the v1.50.0 milestone Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@katiehockman katiehockman

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.50.0
Development

Successfully merging this pull request may close these issues.

github.com/satori/go.uuid Vulnerability CVE-2021-33027
2 participants
@ajgajg1134 @katiehockman