Cyclic dependency in packages is leading to use of vulnerable packages

[rhim]

To address the following vulnerability that exists in associated package

CVE-2021-3121 github.com/gogo/protobuf v1.1

we need to address client_golang and common's cyclic dependency, which is as follows:

github.com/prometheus/common@v0.4.1 github.com/gogo/protobuf@v1.1.1
github.com/prometheus/client_golang@v1.0.0 github.com/prometheus/common@v0.4.1
github.com/prometheus/common@v0.10.0 github.com/prometheus/client_golang@v1.0.0 
github.com/prometheus/client_golang@v1.7.1 github.com/prometheus/common@v0.10.0 
github.com/prometheus/common@v0.26.0 github.com/prometheus/client_golang@v1.7.1 
github.com/prometheus/client_golang@v1.11.0 github.com/prometheus/common@v0.26.0 
github.com/prometheus/common@v0.32.1 github.com/prometheus/client_golang@v1.11.0 
github.com/prometheus/client_golang@v1.12.1 github.com/prometheus/common@v0.32.1 

Can someone suggest a way to remove this cycle?

[bwplotka]

Yea I think there is no other way than trying to copy a code around to not import one on another. I don't know what common is importing from client_golang, but it might make more sense to get rid of client_golang usage of common - meaning to copy data model from it.

[bwplotka]

OR breaking what client_golang imports into separate module in common repo

[beorn7]

The vulnerable package is not actually used. It's just part of the graph due to the way the Go Modules dependency solver works. The cyclic dependency between modules is allowed (as long as there are no cyclic dependencies between packages). The bug is in the security scanner, not in prometheus/client_golang.

I don't think we should invest efforts into solving it here (if it is possible at all). The broken security scanners will run into the same problem with other Go Modules in the same situation.

[rhim]

How to prove definitively that package isn’t used? The vulnerability scanner is indeed going off go mod graph output. They would need to be told how to fix the issue. ***@***.*** about.me/rajhimanshu

…

________________________________ From: Björn Rabenstein ***@***.***> Sent: Tuesday, March 29, 2022 10:54:32 AM To: prometheus/client_golang ***@***.***> Cc: Himanshu Raj ***@***.***>; Author ***@***.***> Subject: Re: [prometheus/client_golang] Cyclic dependency in packages is leading to use of vulnerable packages (Issue #1012) The vulnerable package is not actually used. It's just part of the graph due to the way the Go Modules dependency solver works. The cyclic dependency between modules is allowed (as long as there are no cyclic dependencies between packages). The bug is in the security scanner, not in prometheus/client_golang. I don't think we should invest efforts into solving it here (if it is possible at all). The broken security scanners will run into the same problem with other Go Modules in the same situation. — Reply to this email directly, view it on GitHub<#1012 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADEIYKORL6S4P7NOIY2ISMTVCM7VRANCNFSM5RMQU56A>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[rcousineau-xandr]

I was running into this as well... there are several closed issues on this repo + some closed issues on the prometheus/common repo too.

Linked to one of them was this pr: https://github.com/wavesplatform/gowaves/pull/678/files

I followed what they did in their project and added exclude github.com/gogo/protobuf v1.1.1 to my go.mod and that fixed it.