Go to file

gitea-admin e8d5e075a5 Patched CVE Patched demo CVE		2026-05-20 17:03:42 +00:00
.gitignore	Initial import of demo-secure	2026-05-20 06:10:29 +00:00
catalog-info.yaml	Initial import of demo-secure	2026-05-20 06:10:29 +00:00
Dockerfile	Disable VCS stamping	2026-05-20 04:22:29 -04:00
go.mod	Initial import of demo-secure	2026-05-20 06:10:29 +00:00
go.sum	Initial import of demo-secure	2026-05-20 06:10:29 +00:00
main.go	Patched CVE	2026-05-20 17:03:42 +00:00
README.md	Update README.md	2026-05-20 07:05:24 +00:00

README.md

demo-secure

Minimal Go HTTP service used by the RHADS supply-chain demo.

Demo CVE

go.mod pins github.com/dgrijalva/jwt-go v3.2.0+incompatible, which has a documented vulnerability (CVE-2020-26160 — alg=none not rejected). The /verify handler actually calls into this library, so SBOM scanners pick the dependency up as in-use and RHTPA flags it.

Fixing the CVE

go get github.com/golang-jwt/jwt/v5
go mod tidy
Update the import in main.go from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt/v5
Commit and push — the Tekton pipeline rebuilds, re-signs, ArgoCD redeploys, RHTPA dashboard flips from red to green.

Endpoints

GET / — landing page
GET /version — JSON with Go version + dep list (proves which JWT lib is shipped)
GET /healthz — liveness probe target
POST /verify — Authorization: Bearer <jwt> → returns claims if valid