vulnerabilities in packages Telegraf depends on (Telegraf 1.18.2)

[vishiy]

Please see the below CVEs with HIGH severity

Expected : No CVEs. Please upgrade to later packages (see FIXED version in the image above for the go packages)

[helenosheaa]

Thanks for opening the issue!

I just checked Telegraf 1.18.2 and we are on github.com/dgrijalva/jwt-go/v4, this is the pr that fixed it from Telegraf 1.16.2 onwards.

Also this pr updates apache/thrift to v0.13.0 and updates hashicorp/consul to v1.6.0 which should be included in 1.19.0.

There is an existing issue also about upgrading to higher than v1.6.0 for hashicorp.

[vishiy]

Thank you @helenosheaa . if jwt-go was fixed in 1.16.2, why is it flagged for 1.18.2 ? Do you know ? Are you saying this is false positive ?
Hoping to see all fixes in 1.19.0.

Sorry @ssoroka , i didn't realize the title was in all caps :(

[helenosheaa]

I'm not sure why it's flagging it, the only place I can see v3.2.0+incompatible is in our go.sum but our go.mod only has the version v4.0.0-preview1 with the fix in it and thats the only one we are importing into our packages.

I'll link on here when the pr with the fix for the other ones gets released.

[reimda]

@vishiy Would you rescan now that 9238 is merged? If you need binaries for the scan you could the PR CI build (#9238 (comment)) or the next nightly.

[vishiy]

@reimda thanks. I tried with the last release (1.18.3). Below are the vulnerabilties i see on the dependencies .

[powersj]

@vishiy,

I think the github.com/tidwall/gjson issues are fixed, as I see version v1.9.0 or newer currently on master.
For github.com/apache/thrift I also see us using v0.15.0 on master.

I am going to go ahead and close this.

We do have a security policy for notifying of potential CVEs. Please do use the email and steps in our SECURITY.md document.

Thanks!