Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/third_party/vuln-check
History
Lucas Manuel Rodriguez 682202444c
Update go to 1.26.2 and update tooling to update it (#43771) 
Golang 1.26.2 has been released. It fixes some CVEs:
https://github.com/golang/go/issues?q=milestone%3AGo1.26.2+label%3ACherryPickApproved

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Updated Go toolchain to 1.26.2 across the repository and build
configs.
  * Updated Docker build images to use Go 1.26.2.
* Expanded the set of tracked modules for the Go version update so
additional module files are included in automated updates.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-20 13:40:57 -03:00
..
go.mod Update go to 1.26.2 and update tooling to update it (#43771) 2026-04-20 13:40:57 -03:00
package.json Added inlined dependencies vulnerability scanning (#38729) 2026-01-26 11:24:46 -06:00
README.md remove old Windows MDM PoC tool (#39473) 2026-02-06 13:55:16 -05:00

README.md

Vulnerability scanning for inlined dependencies

This directory contains manifest files (go.mod, package.json) that list the third-party dependencies that have been copied/inlined into Fleet's codebase.

Purpose

Fleet has several dependencies that were copied directly into the repository rather than imported via Go modules or npm. These inlined dependencies are not automatically scanned by vulnerability detection tools like GitHub Dependabot because they don't appear in the main go.mod or package.json.

This directory solves that problem by creating "dummy" manifest files that list these dependencies at their copied versions. This allows:

  • GitHub Dependabot to detect vulnerabilities and create alerts
  • osv-scanner to scan for Go and npm vulnerabilities
  • npm audit to scan for JavaScript vulnerabilities
  • Other security scanning tools to identify issues

Important notes

  1. This code is NOT compiled into Fleet - These manifest files exist solely for vulnerability scanning
  2. Keep versions in sync - When updating an inlined dependency, update the version here to match
  3. No Go code here - Do not add any .go files to this directory

Tracked dependencies

Go dependencies (go.mod)

Dependency Fleet Location Version
micromdm/nanomdm server/mdm/nanomdm/ v0.9.0
micromdm/nanodep server/mdm/nanodep/ v0.4.0
micromdm/scep/v2 server/mdm/scep/ v2.3.0
pressly/goose/v3 server/goose/ v3.17.0
facebookincubator/nvdtools server/vulnerabilities/nvd/tools/ v0.1.5
virtuald/go-paniclog orbit/pkg/go-paniclog/ v0.0.0-20190812204905-43a7fa316459
josharian/impl server/mock/mockimpl/ v1.4.0
mitchellh/gon orbit/pkg/packaging/macos_notarize.go v0.2.3
sassoftware/relic pkg/file/xar.go v7.2.1+incompatible

npm dependencies (package.json)

Dependency Fleet Location Version
node-sql-parser frontend/utilities/node-sql-parser/ 5.3.13

Running vulnerability scans locally

Go and npm vulnerabilities

Since this directory contains no Go source files (by design), source-based tools like govulncheck ./... won't work. Use tools that scan go.mod directly:

Using osv-scanner (recommended):

go install github.com/google/osv-scanner/cmd/osv-scanner@latest
cd third_party/vuln-check
# To include npm dependencies in the scan, first generate a lock file:
npm i --package-lock-only
osv-scanner scan .

Related documentation