You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I do not believe that this is a security issue, other than that it shows how easy it is for unvetted deep dependencies to make it into the dependencies of production apps.
This was fine through yesterday, but as of today, we are seeing Docker build issues around this dependency. We are still investigating whether our issues are due to this dependency, or if it's the following step of our process that is at fault. However, we are concerned about the inclusion of this module in production
This indirect dependency says the following in its repository:
This library is a toy proof-of-concept implementation of the
well-known Schonhage-Strassen method for multiplying integers.
It is not expected to have a real life usecase outside number
theory computations, nor is it expected to be used in any production
system.
If you are using it in your project, you may want to carefully
examine the actual requirement or problem you are trying to solve.
modernc.org/mathutil itself seems to point to a gitlab repo that is a mirror for a http://git.nic.cz repository that no longer exists.
This could all probably be fine as the go-sqlite library is only used in internal/appsec/waf_test.go, but it is part of the required modules for dd-trace-go, and so in the production dependencies for our application.
Is there another option for these tests or this library that would have a more robust dependency chain?
The text was updated successfully, but these errors were encountered:
Hi @bobholt, thanks for reaching out. We understand your concern about remyoudompheng/bigfft being potentially included in your builds.
You can confirm if that package is included in the final binary using the following command: go version -m /path/to/your/binary.
AFAIK, it shouldn't be included and it shouldn't be a security issue as you already pointed out because it's used only in test code, which isn't pulled in production binaries. Also, modernc.org/mathutil seems to be used by glebarez/go-sqlitein test code too.
@bobholt can you share more information about the docker build issue you experienced? I agree with @darccio that a test dependency of our library shouldn't impact your non-test builds. However, something clearly seem to have gone wrong here. So we'd be happy to investigate if there is anything we can do on our end to prevent build issues for you.
I do not believe that this is a security issue, other than that it shows how easy it is for unvetted deep dependencies to make it into the dependencies of production apps.
#2730 introduced a test-only dependency on https://github.com/glebarez/go-sqlite in commit 01e792d
This module depends on https://pkg.go.dev/modernc.org/mathutil, which then depends on https://github.com/remyoudompheng/bigfft
This was fine through yesterday, but as of today, we are seeing Docker build issues around this dependency. We are still investigating whether our issues are due to this dependency, or if it's the following step of our process that is at fault. However, we are concerned about the inclusion of this module in production
This indirect dependency says the following in its repository:
modernc.org/mathutil
itself seems to point to a gitlab repo that is a mirror for ahttp://git.nic.cz
repository that no longer exists.This could all probably be fine as the
go-sqlite
library is only used ininternal/appsec/waf_test.go
, but it is part of the required modules fordd-trace-go
, and so in the production dependencies for our application.Is there another option for these tests or this library that would have a more robust dependency chain?
The text was updated successfully, but these errors were encountered: