openshift-lab/demo-secure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
352d79e5fc
demo-secure/README.md

952 B
Raw Blame History

demo-secure

Minimal Go HTTP service used by the RHADS supply-chain demo.

The deliberate CVE

go.mod pins github.com/dgrijalva/jwt-go v3.2.0+incompatible, which has a documented vulnerability (CVE-2020-26160 — alg=none not rejected). The /verify handler actually calls into this library, so SBOM scanners pick the dependency up as in-use and RHTPA flags it.

Fixing the CVE (the "patch" act)

  1. go get github.com/golang-jwt/jwt/v5
  2. go mod tidy
  3. Update the import in main.go from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt/v5
  4. Commit and push — the Tekton pipeline rebuilds, re-signs, ArgoCD redeploys, RHTPA dashboard flips from red to green.

Endpoints

  • GET / — landing page
  • GET /version — JSON with Go version + dep list (proves which JWT lib is shipped)
  • GET /healthz — liveness probe target
  • POST /verifyAuthorization: Bearer <jwt> → returns claims if valid