Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questionable Dependency in internal/appsec/waf_test.go #2822

Open
bobholt opened this issue Aug 19, 2024 · 2 comments
Open

Questionable Dependency in internal/appsec/waf_test.go #2822

bobholt opened this issue Aug 19, 2024 · 2 comments
Assignees
@darccio

Comments

@bobholt
Copy link

bobholt commented Aug 19, 2024

I do not believe that this is a security issue, other than that it shows how easy it is for unvetted deep dependencies to make it into the dependencies of production apps.

#2730 introduced a test-only dependency on https://github.com/glebarez/go-sqlite in commit 01e792d

This module depends on https://pkg.go.dev/modernc.org/mathutil, which then depends on https://github.com/remyoudompheng/bigfft

This was fine through yesterday, but as of today, we are seeing Docker build issues around this dependency. We are still investigating whether our issues are due to this dependency, or if it's the following step of our process that is at fault. However, we are concerned about the inclusion of this module in production

This indirect dependency says the following in its repository:

This library is a toy proof-of-concept implementation of the
well-known Schonhage-Strassen method for multiplying integers.
It is not expected to have a real life usecase outside number
theory computations, nor is it expected to be used in any production
system.

If you are using it in your project, you may want to carefully
examine the actual requirement or problem you are trying to solve.

modernc.org/mathutil itself seems to point to a gitlab repo that is a mirror for a http://git.nic.cz repository that no longer exists.

This could all probably be fine as the go-sqlite library is only used in internal/appsec/waf_test.go, but it is part of the required modules for dd-trace-go, and so in the production dependencies for our application.

Is there another option for these tests or this library that would have a more robust dependency chain?
@github-actions github-actions bot added the needs-triage New issues that have not yet been triaged label Aug 19, 2024
@darccio darccio removed the needs-triage New issues that have not yet been triaged label Aug 20, 2024
@darccio darccio self-assigned this Aug 20, 2024
@darccio
Copy link
Member

darccio commented Aug 20, 2024

Hi @bobholt, thanks for reaching out. We understand your concern about remyoudompheng/bigfft being potentially included in your builds.

You can confirm if that package is included in the final binary using the following command: go version -m /path/to/your/binary.

AFAIK, it shouldn't be included and it shouldn't be a security issue as you already pointed out because it's used only in test code, which isn't pulled in production binaries. Also, modernc.org/mathutil seems to be used by glebarez/go-sqlite in test code too.

If you need further support, please open a support ticket.

@felixge
Copy link
Member

felixge commented Aug 28, 2024

@bobholt can you share more information about the docker build issue you experienced? I agree with @darccio that a test dependency of our library shouldn't impact your non-test builds. However, something clearly seem to have gone wrong here. So we'd be happy to investigate if there is anything we can do on our end to prevent build issues for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@darccio darccio

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@felixge @bobholt @darccio