# demo-secure

Minimal Go HTTP service used by the RHADS supply-chain demo.

## The deliberate CVE

`go.mod` pins `github.com/dgrijalva/jwt-go v3.2.0+incompatible`, which has a
documented vulnerability (CVE-2020-26160 — `alg=none` not rejected). The
`/verify` handler actually calls into this library, so SBOM scanners pick the
dependency up as in-use and RHTPA flags it.

## Fixing the CVE (the "patch" act)

1. `go get github.com/golang-jwt/jwt/v5`
2. `go mod tidy`
3. Update the import in `main.go` from `github.com/dgrijalva/jwt-go` to
   `github.com/golang-jwt/jwt/v5`
4. Commit and push — the Tekton pipeline rebuilds, re-signs, ArgoCD redeploys,
   RHTPA dashboard flips from red to green.

## Endpoints

- `GET /` — landing page
- `GET /version` — JSON with Go version + dep list (proves which JWT lib is shipped)
- `GET /healthz` — liveness probe target
- `POST /verify` — `Authorization: Bearer <jwt>` → returns claims if valid