27 lines
952 B
Markdown
27 lines
952 B
Markdown
# demo-secure
|
|
|
|
Minimal Go HTTP service used by the RHADS supply-chain demo.
|
|
|
|
## The deliberate CVE
|
|
|
|
`go.mod` pins `github.com/dgrijalva/jwt-go v3.2.0+incompatible`, which has a
|
|
documented vulnerability (CVE-2020-26160 — `alg=none` not rejected). The
|
|
`/verify` handler actually calls into this library, so SBOM scanners pick the
|
|
dependency up as in-use and RHTPA flags it.
|
|
|
|
## Fixing the CVE (the "patch" act)
|
|
|
|
1. `go get github.com/golang-jwt/jwt/v5`
|
|
2. `go mod tidy`
|
|
3. Update the import in `main.go` from `github.com/dgrijalva/jwt-go` to
|
|
`github.com/golang-jwt/jwt/v5`
|
|
4. Commit and push — the Tekton pipeline rebuilds, re-signs, ArgoCD redeploys,
|
|
RHTPA dashboard flips from red to green.
|
|
|
|
## Endpoints
|
|
|
|
- `GET /` — landing page
|
|
- `GET /version` — JSON with Go version + dep list (proves which JWT lib is shipped)
|
|
- `GET /healthz` — liveness probe target
|
|
- `POST /verify` — `Authorization: Bearer <jwt>` → returns claims if valid
|