Comments (4)
DarthHater
commented on August 28, 2024
That is definitely odd! I'll see if I can recreate that today (I run Mac OS).
from nancy.
DarthHater
commented on August 28, 2024
So I haven't used the downloaded binary yet, but I did use the new built version of Nancy from the UpgradeBadger branch, and I got:
nancy UpgradeBadger🔒 ✏️ 2 go list -m all | ./nancy
Nancy version: development
badger 2019/11/12 13:51:24 INFO: All 1 tables opened in 0s
badger 2019/11/12 13:51:24 INFO: Replaying file id: 0 at offset: 36166
badger 2019/11/12 13:51:24 INFO: Replay took: 94.693µs
2019/11/12 13:51:25 Response: &{Status:200 OK StatusCode:200 Proto:HTTP/2.0 ProtoMajor:2 ProtoMinor:0 Header:map[Content-Length:[415] Content-Type:[application/vnd.ossindex.component-report.v1+json] Date:[Tue, 12 Nov 2019 21:51:25 GMT] Set-Cookie:[AWSALB=cPlHX1z1d8hIWWAcobJrZDjtJK1uZCq+iLxbMseaIpmOdQDVxCnqiO3k4Ce6ZxFOyY8BNsh+Yg8qUINltFO7qEEZEXgfdW0j8TEjplBjni42KXESY1tZ/ZM5x+d3; Expires=Tue, 19 Nov 2019 21:51:25 GMT; Path=/]] Body:{cs:0xc00966c140} ContentLength:415 TransferEncoding:[] Close:false Uncompressed:false Trailer:map[] Request:0xc009354000 TLS:0xc0096560b0}
badger 2019/11/12 13:51:25 DEBUG: Storing value log head: {Fid:0 Len:43 Offset:36750}
badger 2019/11/12 13:51:25 INFO: Got compaction priority: {level:0 score:1.73 dropPrefix:[]}
badger 2019/11/12 13:51:25 INFO: Running for level: 0
badger 2019/11/12 13:51:25 DEBUG: LOG Compact. Added 118 keys. Skipped 1 keys. Iteration took: 248.017µs
badger 2019/11/12 13:51:25 DEBUG: Discard stats: map[]
badger 2019/11/12 13:51:25 INFO: LOG Compact 0->1, del 2 tables, add 1 tables, took 26.416923ms
badger 2019/11/12 13:51:25 INFO: Compaction for level: 0 DONE
badger 2019/11/12 13:51:25 INFO: Force compaction on level 0 done
[1/51] pkg:golang/github.com/AndreasBriese/[email protected] No known vulnerabilities against package/version
[2/51] pkg:golang/github.com/BurntSushi/[email protected] No known vulnerabilities against package/version
[3/51] pkg:golang/github.com/Flaque/[email protected] No known vulnerabilities against package/version
[4/51] pkg:golang/github.com/Masterminds/[email protected] No known vulnerabilities against package/version
[5/51] pkg:golang/github.com/Masterminds/[email protected] No known vulnerabilities against package/version
[6/51] pkg:golang/github.com/armon/[email protected] No known vulnerabilities against package/version
[7/51] pkg:golang/github.com/armon/[email protected] No known vulnerabilities against package/version
[8/51] pkg:golang/github.com/boltdb/[email protected] No known vulnerabilities against package/version
[9/51] pkg:golang/github.com/coreos/[email protected] No known vulnerabilities against package/version
[10/51] pkg:golang/github.com/cpuguy83/[email protected] No known vulnerabilities against package/version
[11/51] pkg:golang/github.com/davecgh/[email protected] No known vulnerabilities against package/version
[12/51] pkg:golang/github.com/dgraph-io/[email protected] No known vulnerabilities against package/version
[13/51] pkg:golang/github.com/dgryski/[email protected] No known vulnerabilities against package/version
[14/51] pkg:golang/github.com/dustin/[email protected] No known vulnerabilities against package/version
[15/51] pkg:golang/github.com/fsnotify/[email protected] No known vulnerabilities against package/version
[16/51] pkg:golang/github.com/golang/[email protected] No known vulnerabilities against package/version
[17/51] pkg:golang/github.com/golang/[email protected] No known vulnerabilities against package/version
[18/51] pkg:golang/github.com/google/[email protected] No known vulnerabilities against package/version
[19/51] pkg:golang/github.com/hashicorp/[email protected] No known vulnerabilities against package/version
[20/51] pkg:golang/github.com/inconshreveable/[email protected] No known vulnerabilities against package/version
[21/51] pkg:golang/github.com/jmank88/[email protected] No known vulnerabilities against package/version
[22/51] pkg:golang/github.com/logrusorgru/[email protected] No known vulnerabilities against package/version
[23/51] pkg:golang/github.com/magiconair/[email protected] No known vulnerabilities against package/version
[24/51] pkg:golang/github.com/mitchellh/[email protected] No known vulnerabilities against package/version
[25/51] pkg:golang/github.com/mitchellh/[email protected] No known vulnerabilities against package/version
[26/51] pkg:golang/github.com/nightlyone/[email protected] No known vulnerabilities against package/version
[27/51] pkg:golang/github.com/pelletier/[email protected] No known vulnerabilities against package/version
[28/51] pkg:golang/github.com/pkg/[email protected] No known vulnerabilities against package/version
[29/51] pkg:golang/github.com/pmezard/[email protected] No known vulnerabilities against package/version
[30/51] pkg:golang/github.com/russross/[email protected] No known vulnerabilities against package/version
[31/51] pkg:golang/github.com/sdboyer/[email protected] No known vulnerabilities against package/version
[32/51] pkg:golang/github.com/shopspring/[email protected] No known vulnerabilities against package/version
[33/51] pkg:golang/github.com/spf13/[email protected] No known vulnerabilities against package/version
[34/51] pkg:golang/github.com/spf13/[email protected] No known vulnerabilities against package/version
[35/51] pkg:golang/github.com/spf13/[email protected] No known vulnerabilities against package/version
[36/51] pkg:golang/github.com/spf13/[email protected] No known vulnerabilities against package/version
[37/51] pkg:golang/github.com/spf13/[email protected] No known vulnerabilities against package/version
[38/51] pkg:golang/github.com/spf13/[email protected] No known vulnerabilities against package/version
[39/51] pkg:golang/github.com/stretchr/[email protected] No known vulnerabilities against package/version
[40/51] pkg:golang/github.com/stretchr/[email protected] No known vulnerabilities against package/version
[41/51] pkg:golang/github.com/ugorji/go/[email protected] No known vulnerabilities against package/version
[42/51] pkg:golang/github.com/xordataexchange/[email protected] No known vulnerabilities against package/version
------------------------------------------------------------
[43/51] pkg:golang/golang.org/x/[email protected] [Vulnerable] 1 known vulnerabilities affecting installed version
[CVE-2019-11840] Use of Insufficiently Random Values
An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation willfirst generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
ID:5121f5ff-9831-44a6-af2e-24f7301d1df7
Details:https://ossindex.sonatype.org/vuln/5121f5ff-9831-44a6-af2e-24f7301d1df7[44/51] pkg:golang/golang.org/x/[email protected] No known vulnerabilities against package/version
[45/51] pkg:golang/golang.org/x/[email protected] No known vulnerabilities against package/version
[46/51] pkg:golang/golang.org/x/[email protected] No known vulnerabilities against package/version
[47/51] pkg:golang/golang.org/x/[email protected] No known vulnerabilities against package/version
[48/51] pkg:golang/github.com/go-check/[email protected] No known vulnerabilities against package/version
[49/51] pkg:golang/github.com/go-yaml/[email protected] No known vulnerabilities against package/version
[50/51] pkg:golang/github.com/coreos/[email protected]%20incompatible No known vulnerabilities against package/version
[51/51] pkg:golang/github.com/coreos/[email protected]%20incompatible No known vulnerabilities against package/version
Audited dependencies: 51, Vulnerable: 1
nancy UpgradeBadger🔒 ✏️ 2 echo $?
1
Nancy itself is Vulnerable right now on that branch due to a dependency of Badger, so it was a decent test.
I or @allenhsieh will give it a twirl with the downloaded version but maybe try that branch out?
from nancy.
bfarayev
commented on August 28, 2024
Thanks for looking into it @DarthHater It might be my mistake actually.
I retied with both new (v0.0.35) and old (v0.0.33) pre-built packages and both worked fine. Tried both with UpgradeBadger branch and my another vulnerable repo. Both worked as expected and I got exit 1
Also built from source and tried in both project, it worked fine as well. I think we can close this issue.
from nancy.
bfarayev
commented on August 28, 2024
Closing this issue now.
from nancy.
Related Issues (20)
- Add SARIF support HOT 1
- fix dpkg warning: missing 'Maintainer' field
- TLS Handsake Timeout error HOT 2
- Nancy produces invalid JSON again and again [bug] HOT 1
- False positive due to circular dependency HOT 4
- Homebrew: Calling bottle :unneeded is deprecated HOT 3
- Running nancy in Azure DevOps requires bash to be present in the image HOT 4
- Nancy does not respect replace directive HOT 1
- Replace directive is based on the to be replaced module path not the one which replacing it HOT 4
- Q. has any thought been given to scanning for core library vulnerabilities? HOT 2
- go install does not work - complains about replace directive HOT 3
- Install failed with go 1.18 on darwin HOT 3
- Wrong brew tap on gonancy.dev HOT 1
- Is returning 500 error when accessing OSS Index HOT 20
- Update version string to have "v" prefix expected by OSSIndex
- Task execution failure HOT 1
- Subpackages with different versions are incorrectly flagged HOT 8
- Readme: Relation to govulncheck HOT 3
- Wrongly reports runc 1.1.5 as vulnerable
- Fails to install because of github.com/golang/dep HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nancy.