2022-01-12 22:49:01 +03:00
|
|
|
module github.com/ossf/scorecard/v4
|
2020-10-09 17:47:59 +03:00
|
|
|
|
2022-08-17 04:55:48 +03:00
|
|
|
go 1.18
|
2020-10-09 17:47:59 +03:00
|
|
|
|
2022-01-25 20:17:46 +03:00
|
|
|
require (
|
2022-07-11 05:43:08 +03:00
|
|
|
github.com/rhysd/actionlint v1.6.15
|
2022-01-25 20:17:46 +03:00
|
|
|
gotest.tools v2.2.0+incompatible
|
|
|
|
)
|
|
|
|
|
2020-10-09 17:47:59 +03:00
|
|
|
require (
|
2022-08-16 18:54:13 +03:00
|
|
|
cloud.google.com/go/bigquery v1.38.0
|
2022-04-04 11:07:42 +03:00
|
|
|
cloud.google.com/go/monitoring v1.4.0 // indirect
|
2022-07-23 06:09:45 +03:00
|
|
|
cloud.google.com/go/pubsub v1.24.0
|
2022-04-04 11:07:42 +03:00
|
|
|
cloud.google.com/go/trace v1.2.0 // indirect
|
2022-04-20 11:07:22 +03:00
|
|
|
contrib.go.opencensus.io/exporter/stackdriver v0.13.12
|
2022-01-25 20:17:46 +03:00
|
|
|
github.com/bombsimon/logrusr/v2 v2.0.1
|
2022-07-16 20:43:04 +03:00
|
|
|
github.com/bradleyfalzon/ghinstallation/v2 v2.1.0
|
2021-06-09 02:55:43 +03:00
|
|
|
github.com/go-git/go-git/v5 v5.4.2
|
2022-03-18 11:06:25 +03:00
|
|
|
github.com/go-logr/logr v1.2.3
|
2021-08-26 22:48:39 +03:00
|
|
|
github.com/golang/mock v1.6.0
|
2022-04-27 17:40:28 +03:00
|
|
|
github.com/google/go-cmp v0.5.8
|
2022-07-21 17:32:19 +03:00
|
|
|
github.com/google/go-containerregistry v0.11.0
|
2021-08-13 03:43:22 +03:00
|
|
|
github.com/google/go-github/v38 v38.1.0
|
2022-01-11 21:24:11 +03:00
|
|
|
github.com/h2non/filetype v1.1.3
|
2022-07-14 18:45:00 +03:00
|
|
|
github.com/jszwec/csvutil v1.7.1
|
2022-05-09 05:41:16 +03:00
|
|
|
github.com/moby/buildkit v0.10.3
|
2021-07-07 00:11:20 +03:00
|
|
|
github.com/olekukonko/tablewriter v0.0.5
|
2022-07-21 11:06:55 +03:00
|
|
|
github.com/onsi/gomega v1.20.0
|
2021-05-17 23:03:39 +03:00
|
|
|
github.com/shurcooL/githubv4 v0.0.0-20201206200315-234843c633fa
|
2020-11-07 00:28:26 +03:00
|
|
|
github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a // indirect
|
2022-07-21 17:32:19 +03:00
|
|
|
github.com/sirupsen/logrus v1.9.0
|
2022-07-16 23:33:14 +03:00
|
|
|
github.com/spf13/cobra v1.5.0
|
2021-08-26 04:42:34 +03:00
|
|
|
github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f
|
2021-05-21 09:47:49 +03:00
|
|
|
go.opencensus.io v0.23.0
|
2022-08-04 17:10:15 +03:00
|
|
|
gocloud.dev v0.26.0
|
2022-01-27 05:56:56 +03:00
|
|
|
golang.org/x/text v0.3.7
|
2022-07-28 17:26:39 +03:00
|
|
|
golang.org/x/tools v0.1.12
|
2022-08-16 18:54:13 +03:00
|
|
|
google.golang.org/genproto v0.0.0-20220812140447-cec7f5303424
|
2022-07-29 18:29:19 +03:00
|
|
|
google.golang.org/protobuf v1.28.1
|
2021-05-02 22:04:04 +03:00
|
|
|
gopkg.in/yaml.v2 v2.4.0
|
2022-07-13 16:38:46 +03:00
|
|
|
gopkg.in/yaml.v3 v3.0.1
|
2022-05-24 16:55:34 +03:00
|
|
|
mvdan.cc/sh/v3 v3.5.1
|
2020-10-09 17:47:59 +03:00
|
|
|
)
|
2021-09-02 01:13:04 +03:00
|
|
|
|
2022-03-02 08:18:44 +03:00
|
|
|
require (
|
2022-07-18 21:42:32 +03:00
|
|
|
github.com/Masterminds/semver/v3 v3.1.1
|
2022-08-23 16:27:24 +03:00
|
|
|
github.com/caarlos0/env/v6 v6.10.0
|
2022-04-15 19:35:01 +03:00
|
|
|
github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303
|
2022-04-27 18:21:26 +03:00
|
|
|
github.com/onsi/ginkgo/v2 v2.1.4
|
2022-04-06 00:18:53 +03:00
|
|
|
sigs.k8s.io/release-utils v0.6.0
|
2022-03-02 08:18:44 +03:00
|
|
|
)
|
2022-02-15 22:27:45 +03:00
|
|
|
|
2021-09-02 01:13:04 +03:00
|
|
|
require (
|
2022-07-05 17:14:11 +03:00
|
|
|
cloud.google.com/go v0.102.1 // indirect
|
|
|
|
cloud.google.com/go/compute v1.7.0 // indirect
|
2022-03-17 11:06:08 +03:00
|
|
|
cloud.google.com/go/iam v0.3.0 // indirect
|
2022-07-14 17:24:21 +03:00
|
|
|
cloud.google.com/go/storage v1.23.0 // indirect
|
2022-05-19 15:55:31 +03:00
|
|
|
github.com/Microsoft/go-winio v0.5.2 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
|
|
|
|
github.com/acomagu/bufpipe v1.0.3 // indirect
|
2022-04-04 11:07:42 +03:00
|
|
|
github.com/aws/aws-sdk-go v1.43.31 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
|
2022-03-02 08:18:44 +03:00
|
|
|
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
|
2022-07-21 17:32:19 +03:00
|
|
|
github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/containerd/typeurl v1.0.2 // indirect
|
2022-07-21 17:32:19 +03:00
|
|
|
github.com/docker/cli v20.10.17+incompatible // indirect
|
2022-05-19 15:55:31 +03:00
|
|
|
github.com/docker/distribution v2.8.1+incompatible // indirect
|
2022-07-21 17:32:19 +03:00
|
|
|
github.com/docker/docker v20.10.17+incompatible // indirect
|
2022-01-21 06:44:13 +03:00
|
|
|
github.com/docker/docker-credential-helpers v0.6.4 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/emirpasic/gods v1.12.0 // indirect
|
2021-12-17 20:24:32 +03:00
|
|
|
github.com/fatih/color v1.13.0 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/go-git/gcfg v1.5.0 // indirect
|
|
|
|
github.com/go-git/go-billy/v5 v5.3.1 // indirect
|
|
|
|
github.com/gogo/protobuf v1.3.2 // indirect
|
2022-04-04 11:07:42 +03:00
|
|
|
github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
|
|
|
|
github.com/golang/protobuf v1.5.2 // indirect
|
2022-07-16 20:43:04 +03:00
|
|
|
github.com/google/go-github/v45 v45.2.0 // indirect
|
2021-09-08 19:01:34 +03:00
|
|
|
github.com/google/go-querystring v1.1.0 // indirect
|
2022-07-05 17:14:11 +03:00
|
|
|
github.com/google/uuid v1.3.0 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/google/wire v0.5.0 // indirect
|
2022-07-05 17:14:11 +03:00
|
|
|
github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
|
2022-08-16 18:54:13 +03:00
|
|
|
github.com/googleapis/gax-go/v2 v2.5.1 // indirect
|
2022-04-14 11:04:49 +03:00
|
|
|
github.com/googleapis/go-type-adapters v1.0.0 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/imdario/mergo v0.3.12 // indirect
|
|
|
|
github.com/inconshreveable/mousetrap v1.0.0 // indirect
|
|
|
|
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
|
|
|
|
github.com/jmespath/go-jmespath v0.4.0 // indirect
|
|
|
|
github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
|
2022-07-21 17:32:19 +03:00
|
|
|
github.com/klauspost/compress v1.15.8 // indirect
|
2022-01-11 20:57:07 +03:00
|
|
|
github.com/mattn/go-colorable v0.1.12 // indirect
|
2021-12-17 20:24:32 +03:00
|
|
|
github.com/mattn/go-isatty v0.0.14 // indirect
|
2021-11-08 21:57:03 +03:00
|
|
|
github.com/mattn/go-runewidth v0.0.13 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/mitchellh/go-homedir v1.1.0 // indirect
|
|
|
|
github.com/opencontainers/go-digest v1.0.0 // indirect
|
2022-05-19 15:55:31 +03:00
|
|
|
github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/pkg/errors v0.9.1 // indirect
|
2022-04-20 11:07:22 +03:00
|
|
|
github.com/prometheus/prometheus v2.5.0+incompatible // indirect
|
2021-11-08 21:57:03 +03:00
|
|
|
github.com/rivo/uniseg v0.2.0 // indirect
|
|
|
|
github.com/robfig/cron v1.2.0 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/sergi/go-diff v1.1.0 // indirect
|
|
|
|
github.com/spf13/pflag v1.0.5 // indirect
|
2022-01-21 06:44:13 +03:00
|
|
|
github.com/vbatts/tar-split v0.11.2 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
github.com/xanzy/ssh-agent v0.3.0 // indirect
|
|
|
|
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
|
|
|
|
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
|
2022-04-04 11:07:42 +03:00
|
|
|
golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect
|
2022-07-28 17:26:39 +03:00
|
|
|
golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
|
2022-07-21 17:32:19 +03:00
|
|
|
golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 // indirect
|
2022-07-28 17:26:39 +03:00
|
|
|
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
|
|
|
|
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
|
2022-07-05 17:14:11 +03:00
|
|
|
golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
|
2022-08-16 18:54:13 +03:00
|
|
|
google.golang.org/api v0.92.0 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
google.golang.org/appengine v1.6.7 // indirect
|
2022-08-06 16:26:37 +03:00
|
|
|
google.golang.org/grpc v1.48.0 // indirect
|
2021-09-02 01:13:04 +03:00
|
|
|
gopkg.in/warnings.v0 v0.1.2 // indirect
|
|
|
|
)
|
:seedling: Fix GO-2021-0089 vulnerability
The github.com/buger/jsonparser has this vulnerability.
"vulns": [
{
"id": "GO-2021-0089",
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"details": "Parsing malformed JSON which contain opening brackets, but not closing brackes,\nleads to an infinite loop. If operating on untrusted user input this can be\nused as a denial of service vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "0.0.0-20200321185410-91ac96899e49"
}
]
},
"aliases": [
"CVE-2020-10675"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"findKeyStart"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/pull/192"
},
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717"
},
{
"type": "WEB",
"url": "https://github.com/buger/jsonparser/issues/188"
}
],
"affected": [
{
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200321185410-91ac96899e49"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"findKeyStart"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml"
}
}
]
},
{
"id": "GO-2021-0057",
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n",
"affects": {
"ranges": [
{
"type": "SEMVER",
"fixed": "1.1.1"
}
]
},
"aliases": [
"CVE-2020-35381"
],
"modified": "2021-04-14T12:00:00Z",
"published": "2021-04-14T12:00:00Z",
"ecosystem_specific": {
"symbols": [
"searchKeys"
]
},
"database_specific": {
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json",
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml"
},
"references": [
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/pull/221"
},
{
"type": "FIX",
"url": "https://github.com/buger/jsonparser/commit/df3ea76ece10095374fd1c9a22a4fb85a44efc42"
},
{
"type": "WEB",
"url": "https://github.com/buger/jsonparser/issues/219"
}
],
"affected": [
{
"package": {
"name": "github.com/buger/jsonparser",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
]
}
],
"ecosystem_specific": {
"symbols": [
"searchKeys"
]
},
"database_specific": {
"url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml",
"source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json"
}
}
]
}
]
}
2021-09-21 20:46:31 +03:00
|
|
|
|
2021-09-22 00:31:16 +03:00
|
|
|
replace (
|
|
|
|
// https://deps.dev/advisory/OSV/GO-2021-0057?from=%2Fgo%2Fgithub.com%252Fbuger%252Fjsonparser%2Fv1.0.0
|
|
|
|
github.com/buger/jsonparser => github.com/buger/jsonparser v1.1.1
|
|
|
|
// https://deps.dev/advisory/OSV/GO-2020-0017?from=%2Fgo%2Fk8s.io%252Fclient-go%2Fv0.0.0-20200207030105-473926661c44
|
|
|
|
github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c => github.com/golang-jwt/jwt v3.2.1+incompatible
|
|
|
|
github.com/dgrijalva/jwt-go v3.2.0+incompatible => github.com/golang-jwt/jwt v3.2.1+incompatible
|
2022-02-23 18:41:05 +03:00
|
|
|
// This replace is for GHSA-qq97-vm5h-rrhg
|
|
|
|
github.com/docker/distribution => github.com/docker/distribution v2.8.0+incompatible
|
2021-09-22 05:01:01 +03:00
|
|
|
// https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2020-0020.yaml
|
|
|
|
github.com/gorilla/handlers => github.com/gorilla/handlers v1.3.0
|
2021-10-04 20:16:52 +03:00
|
|
|
// https://github.com/miekg/dns/issues/1037
|
|
|
|
github.com/miekg/dns => github.com/miekg/dns v1.1.25-0.20191211073109-8ebf2e419df7
|
2021-11-19 22:40:17 +03:00
|
|
|
//https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
|
|
|
|
github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2
|
2021-10-04 21:15:41 +03:00
|
|
|
// This replace is for https://nvd.nist.gov/vuln/detail/CVE-2021-3538
|
|
|
|
github.com/satori/go.uuid => github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102
|
2021-10-04 20:55:08 +03:00
|
|
|
// This replace is for https://github.com/advisories/GHSA-25xm-hr59-7c27
|
|
|
|
github.com/ulikunitz/xz => github.com/ulikunitz/xz v0.5.8
|
2022-02-23 18:41:05 +03:00
|
|
|
|
2021-09-22 00:31:16 +03:00
|
|
|
)
|