Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't go install vervet #128

Closed
cmars opened this issue Jan 19, 2022 · 0 comments · Fixed by #127
Closed

Can't go install vervet #128

cmars opened this issue Jan 19, 2022 · 0 comments · Fixed by #127

Comments

@cmars
Copy link
Contributor

cmars commented Jan 19, 2022

It's currently not possible to go install github.com/snyk/vervet/v3@latest. This is what happens if you try:

$ go install github.com/snyk/vervet/v3@latest
go install: github.com/snyk/vervet/v3@latest (in github.com/snyk/vervet/v3@v3.1.4):
	The go.mod file for the module providing named packages contains one or
	more replace directives. It must not contain directives that would cause
	it to be interpreted differently than if it were the main module.

So there's two questions that will probably come to mind:

Why are we using the replace directive?

Vervet currently uses replace because it has a transitive dependency (dependency of a dependency of a ...) which depends on a version of golang.org/x/crypto which has security vulnerabilities detected by Snyk. While I'm trying to contribute fixes to these upstreams -- go-git/go-git#454, https://github.com/xanzy/ssh-agent may also need similar -- these vulns can be mitigated right now by overriding the affected module with a replace directive -- this allows us to build a more secure release of vervet.

Why can't I go install a binary from a module that uses replace?

Good question. The Go developers have decided not to allow it. While I appreciate Go's relentless push for simplicity, I wonder if we're missing some nuance here, especially when it comes to security concerns like the one we've encountered here.

Reference issues on this topic in Go:

In the meantime, what's the workaround?

For the time being, to install vervet you'll either need to

  • Install from NPM, npm install -g @snyk/vervet@^3.1.0
  • Download a binary from a release build, copy it into your $PATH.
  • git clone and make build locally, and install the binary into your $PATH.

We might also add more distribution channels to make it easier to get vervet. Homebrew, Nix, etc. Contributions here would be welcome!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: remove go.mod replace directive cmars/vervet
1 participant
@cmars