gogithubgo-modulesdependabotgoogle-api-go-client

Golang: what to do with google.golang.org/api obsolete dependencies on golang.org/x/net


Recently github.com Dependabot complained on some dependencies in my project which are vulnerable to DOS, have a "Broken or Risky Cryptographic Algorithm", and have a bug with "Uncontrolled Resource Consumption".

Specifically, it is warning me about CVE-2022-27664 for golang.org/x/net module, CVE-2022-27191 and CVE-2022-32149 for others.

What I did is to run "go get -u" on all the modules used there. Obviously, it didn't solve the problem. Then I started to look for module depndencies with "go graph". It took a while, and here is the dependency sequence I've found:

google.golang.org/api@v0.114.0 =>
go.opencensus.io@v0.24.0 =>
google.golang.org/grpc@v1.33.2 =>
github.com/envoyproxy/go-control-plane@v0.9.4 =>
google.golang.org/genproto@v0.0.0-20190819201941-24fa4b261c55 =>
golang.org/x/tools@v0.0.0-20190226205152-f727befe758c =>
google.golang.org/appengine@v1.4.0 =>
golang.org/x/net@v0.0.0-20180724234803-3673e40ba225

Which means that the most modern and updated google.golang.org/api package from Mar 17, 2023 cause dependency on the golang.org/x/net from 2018.

I see a lot of dependencies on the old net module from other google packages:

cloud.google.com/go/compute@v1.19.0 golang.org/x/net@v0.8.0
github.com/googleapis/gax-go/v2@v2.8.0 golang.org/x/net@v0.7.0
go.opencensus.io@v0.24.0 golang.org/x/net@v0.0.0-20201110031124-69a78807bb2b
golang.org/x/crypto@v0.7.0 golang.org/x/net@v0.8.0
golang.org/x/oauth2@v0.6.0 golang.org/x/net@v0.8.0
google.golang.org/api@v0.114.0 golang.org/x/net@v0.8.0
google.golang.org/appengine@v1.6.7 golang.org/x/net@v0.0.0-20190603091049-60506f45cf65
google.golang.org/genproto@v0.0.0-20230323212658-478b75c54725 golang.org/x/net@v0.8.0
google.golang.org/grpc@v1.54.0 golang.org/x/net@v0.8.0
golang.org/x/crypto@v0.6.0 golang.org/x/net@v0.6.0
google.golang.org/grpc@v1.33.2 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.1.12 golang.org/x/net@v0.0.0-20220722155237-a158d28d115b
golang.org/x/crypto@v0.0.0-20200622213623-75b288015ac9 golang.org/x/net@v0.0.0-20190404232315-eb5bcb51f2a3
golang.org/x/crypto@v0.0.0-20210921155107-089bfa567519 golang.org/x/net@v0.0.0-20210226172049-e18ecbb05110
golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e golang.org/x/net@v0.0.0-20190620200207-3b0461eec859
google.golang.org/grpc@v1.25.1 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.0.0-20190524140312-2c0ae7006135 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/grpc@v1.27.0 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
golang.org/x/tools@v0.0.0-20190226205152-f727befe758c golang.org/x/net@v0.0.0-20190213061140-3a22650c66bd
google.golang.org/grpc@v1.19.0 golang.org/x/net@v0.0.0-20180826012351-8a410e7b638d
golang.org/x/tools@v0.0.0-20190311212946-11955173bddd golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/grpc@v1.23.0 golang.org/x/net@v0.0.0-20190311183353-d8887717615a
google.golang.org/appengine@v1.4.0 golang.org/x/net@v0.0.0-20180724234803-3673e40ba225

I've checked github.com/googleapis/google-api-go-client repository and found this issue https://github.com/googleapis/google-api-go-client/issues/1048 I says about the same problem, but later user hashier says that since go list -m all command shows the latest version it's not an issue.

So, the main question is: Is that an issue or not and why?

I just don't know what should be fixed here, github Dependabot checks or google-api-go-client module dependecies.


Solution

  • Time to answer this.

    As I found out experimenting with go mod graph checking all the packages in my project one by one in a separate draft repository, these vulnerable dependencies were coming from another repository: github.com/go-gorm/postgres.

    So, I mistaken determining were vulnerable dependencies come from. Obviously it was due to enormous dependencies graph:

    [0] $ go mod graph | wc
        667    1334   56113
    

    If someone is looking for a way to visualize project dependencies, here it is:

    go mod graph | modgv | dot -Tsvg -o graph.svg
    

    Turning back to the initial problem. It was caused by the old version of Go used in github.com/go-gorm/postgres. As I understood, the only way to fix it is to upgrade Go version to 1.18. If the version is lower, go mod graph shows a lot of vulnerable packages.