Zombie Dependencies

Photo by Nathan Wright on Unsplash

CVE Scans

✗ High severity vulnerability found in github.com/satori/go.uuid
Description: Insecure Randomness
Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
✗ High severity vulnerability found in github.com/miekg/dns
Description: Insecure Randomness
Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMIEKGDNS-537825
✗ High severity vulnerability found in github.com/dgrijalva/jwt-go
Description: Access Restriction Bypass
Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515

go.uuid

Signs of a zombie dependency.
$ go mod why github.com/satori/go.uuid
# github.com/satori/go.uuid
k8s.io/kubernetes/cmd/cloud-controller-manager
k8s.io/legacy-cloud-providers/azure
github.com/Azure/azure-sdk-for-go/storage
github.com/satori/go.uuid

It’s Never DNS

$ go mod why github.com/miekg/dns
k8s.io/kubernetes/pkg/proxy/winuserspace
github.com/miekg/dns

JWT, My Old Friend

$ go mod why github.com/dgrijalva/jwt-go
# github.com/dgrijalva/jwt-go
k8s.io/kubernetes/pkg/volume/glusterfs
github.com/heketi/heketi/client/api/go-client
github.com/dgrijalva/jwt-go
Uh oh.
github.com/auth0/go-jwt-middleware
github.com/spf13/viper
go.etcd.io/etcd
$ go mod graph | grep jwt
github.com/spf13/viper@v1.7.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
go.etcd.io/etcd/server/v3@v3.5.0-pre github.com/dgrijalva/jwt-go@v3.2.0+incompatible

Wat?

A seemingly circular import that is actually still acyclic because of different versions.

Now What?

Sometimes things do go right.

Wrapping Up

* These will change in arbitrary OS updates and in unpredictable ways.

*When your program breaks, you get to keep both pieces.

--

--

--

Founder/CEO at Chainguard

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

An Introduction to Microservices

Releasing diepvries, a Data Vault framework for Python

Confusing terms in system design: concurrency vs parallelism, performance vs scalability, proxy vs…

Building Road Ready Mobile Apps

Starting Serverless with Django

How to Actually Develop, Test and Publish your First Plugin for the Serverless Framework

Cloud Migration Benefits and Strategies for Businesses in 2019

How To Approach Tech Interviews?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dan Lorenc

Dan Lorenc

Founder/CEO at Chainguard

More from Medium

Demystifying the Life of a Kubernetes Network Packet with Calico

Securing Cloud Native Comms: From Ingress to Service Mesh and Beyond

Jaeger Tracing: A Friendly Guide for Beginners

FATA[0009] FAILED TO CREATE API: UNABLE TO RUN POST-SCAFFOLD TASKS OF “BASE.GO.KUBEBUILDER.IO/V3”: