Outdated and vulnerable golang protobuf dependency

[jperezdealgaba]

Hello!

We are using ansible-operator-plugins for some internal developments and after performing SAST on the project we noticed that that the used protobuf version is vulnerable to several attacks:

✗ Medium severity vulnerability found in google.golang.org/protobuf/internal/encoding/json
Description: Infinite loop
Info: LINK
Introduced through: google.golang.org/protobuf/internal/encoding/json@v1.31.0
From: google.golang.org/protobuf/internal/encoding/json@v1.31.0
Fixed in: 1.33.0
CVE: LINK

✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
Description: Stack-based Buffer Overflow
Info: LINK
Introduced through: google.golang.org/protobuf/encoding/protojson@v1.31.0
From: google.golang.org/protobuf/encoding/protojson@v1.31.0
Fixed in: 1.32.0

✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
Description: Infinite loop
Info: LINK
Introduced through: google.golang.org/protobuf/encoding/protojson@v1.31.0
From: google.golang.org/protobuf/encoding/protojson@v1.31.0
Fixed in: 1.33.0
Vulnerability Report: LINK

Would it be possible that the probuf version is updated to the most recent version? Thank you!

[chiragkyal]

@jperezdealgaba @acornett21 I think we are now using google.golang.org/protobuf v1.33.0. Are we good to close this issue?

ansible-operator-plugins/go.mod

Line 100 in 42b5d80

google.golang.org/protobuf v1.33.0 // indirect

[jperezdealgaba]

/LGTM!

[acornett21]

• Relates: Update k8s dependencies #67