SASTBot dependency updates from indirects in managed projects
In the last round of SASTBot Monthly dependency updates, two of the projects (flawfinder and security-code-scan) that I'm assigned to had the same two CA vulns that suggested upgrading github.com/go-git/go-git/v5:v5.4.2
to 5.11.0
.
This suggests applying the same update in flawfinder and in security-code-scan.
Both dependencies are indirect, though, meaning that no package from go-git
is used in either project, and instead it's listed in go.mod
because some dependency (or dependency of a dependency, ...) is using go-git
. And go mod why
can find the (shortest) chain for us:
flawfinder % go mod why github.com/go-git/go-git/v5
# github.com/go-git/go-git/v5
gitlab.com/gitlab-org/security-products/analyzers/flawfinder/v2
gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2
github.com/go-git/go-git/v5
So ruleset
directly depends on the vulnerable version of go-git
and we should update it there instead of in every downstream project. Note: we've seen this vuln before and handled it downstream in brakeman.