Fix code style

Using Go 1.20 or 1.21, run:

find . -name '*.go' -exec gofmt -s -w {} \;

This should update the formatting so it is compliant.

Enable copyright checking in the action

In .github.workflows/ci.yml remove the line style-skip: true.

Copyright header update

Replace the full apache header at the top of each file with this:

// SPDX-FileCopyrightText: {{DATE}} Comcast Cable Communications Management, LLC
// SPDX-License-Identifier: Apache-2.0

Replacing {{DATE}} with the copyright date in the file.

For all go files that are not generated and are missing this header add it.

Reuse preparation

Install: reuse

Create a directory named .reuse.

Add the file .reuse/deb5 with contents based on this:

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: {{REPO}}
Upstream-Contact: {{MAINTAINER}}
Source: https://github.com/xmidt-org/{{REPO}}

Files: .golangci.yml
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: go.mod
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: go.sum
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: .gitignore
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: MAINTAINERS.md
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: README.md
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: .whitesource
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

You may need to add/change files that cannot have copyright headers later.

Installing licenses

Run:

reuse download Apache-2.0

Checking the repo is compliant

Run:

reuse lint

you should see something similar to this:

# SUMMARY

* Bad licenses:
* Deprecated licenses:
* Licenses without file extension:
* Missing licenses:
* Unused licenses:
* Used licenses: Apache-2.0
* Read errors: 0
* Files with copyright information: 14 / 14
* Files with license information: 14 / 14

Congratulations! Your project is compliant with version 3.0 of the REUSE Specification :-)

If not, fix the issues.

Enable copyright checking in the action

In .github.workflows/ci.yml remove the line copyright-skip: true.

The example script may not be up to date to the latest kratos changes: https://github.com/xmidt-org/kratos/tree/master/example

The latest code was thoroughly tested through an internal tool that uses kratos. We should still update the existing unit tests to account for the latest kratos change.

This ticket will outline a general todo list for the removal of webpa-common

TODO

• Review usage & outline replacements

badges missing:

• maintainability
• code climate
• license
• release

should match this README:
https://github.com/xmidt-org/svalinn

should reflect go mod instructions and summarize kratos

Also have to change references to the branch in .travis.yml, README, and CONTRIBUTING. Double check any other markdown files as well - sometimes links have the branch name in them.

Fix linting errors and enable checking all the time.

If possible, fix all the lint errors or mark them as "accepted".

Enable lint checking in the action

In .github.workflows/ci.yml remove the line lint-skip: true.

https://github.com/Comcast/kratos/blob/master/kratos.go#L81

Based on what Talaria is sending/expecting I think this should be BinaryMessage, right?

CVE-2022-28948 - Medium Severity Vulnerability

Vulnerable Library - github.com/go-yaml/yaml-v2.4.0

YAML support for the Go language.

Dependency Hierarchy:

• github.com/xmidt-org/webpa-common/semaphore-v1.11.5 (Root Library)
  • github.com/xmidt-org/webpa-common/xmetrics-v1.11.5
    • github.com/xmidt-org/webpa-common/logging-v1.11.5
      • github.com/spf13/viper-v1.8.0
        • ❌ github.com/go-yaml/yaml-v2.4.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fm53-mpmp-7qw2

Release Date: 2022-05-19

Fix Resolution: v3.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-32149 - High Severity Vulnerability

Vulnerable Library - golang.org/x/text-v0.3.7

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.7.zip

Dependency Hierarchy:

• github.com/xmidt-org/webpa-common-v1.11.9 (Root Library)
  • github.com/spf13/viper-v1.12.0
    • github.com/spf13/afero-v1.9.2
      • ❌ golang.org/x/text-v0.3.7 (Vulnerable Library)

Found in HEAD commit: 8473a7279e4feb0898f00484902debe7808b6ad2

Found in base branch: main

Vulnerability Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Publish Date: 2022-10-14

URL: CVE-2022-32149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149

Release Date: 2022-10-14

Fix Resolution: v0.3.8

Step up your Open Source Security Game with Mend here