openshift-lab/demo-secure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
gitea-admin 2026-05-20 07:05:24 +00:00
parent 352d79e5fc
commit 536980b306
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -2,14 +2,14 @@
Minimal Go HTTP service used by the RHADS supply-chain demo. Minimal Go HTTP service used by the RHADS supply-chain demo.
## The deliberate CVE ## Demo CVE
`go.mod` pins `github.com/dgrijalva/jwt-go v3.2.0+incompatible`, which has a `go.mod` pins `github.com/dgrijalva/jwt-go v3.2.0+incompatible`, which has a
documented vulnerability (CVE-2020-26160 — `alg=none` not rejected). The documented vulnerability (CVE-2020-26160 — `alg=none` not rejected). The
`/verify` handler actually calls into this library, so SBOM scanners pick the `/verify` handler actually calls into this library, so SBOM scanners pick the
dependency up as in-use and RHTPA flags it. dependency up as in-use and RHTPA flags it.
## Fixing the CVE (the "patch" act) ## Fixing the CVE
1. `go get github.com/golang-jwt/jwt/v5` 1. `go get github.com/golang-jwt/jwt/v5`
2. `go mod tidy` 2. `go mod tidy`