temporalio / samples-go Goto Github PK
View Code? Open in Web Editor NEWTemporal Go SDK samples
Home Page: https://docs.temporal.io/docs/go
License: Other
samples-go's Issues
retryactivity restarts from first heartbeat instead of last
[Bug] Trying to run a cron schedule to fetch some data from database
What are you really trying to do?
I am just trying to run the cron workflow in GoLang by following the steps mentioned in the Readme.md.
Describe the bug
In worker, main.go when I am trying to register activity as cron.DoSomething , the error is that DoSomething is not declared by package cron.
Environment/Versions
- OS and processor: Windows
- Temporal Version: SDK version
- Are you using Docker or Kubernetes or building Temporal from source?
- Using temporal on docker compose
Remove go.temporal.io/server as a dependency
Describe the solution you'd like
Everywhere it's used, go.temporal.io/server should be able to be replaced, and where it can't be replaced, we should consider making a separate go.mod in that sample. It's a large, moving dependency and an SDK sample demonstrating that a user needs the server as a library indicates a more fundamental problem we should address.
[Bug] Test environment doesn't implement client.Client.
Describe the bug
In the mutex tests *internal.TestWorkflowEnvironment doesn't satisfy the client.Client interface and if SignalWithStartMutexWorkflowActivity was called instead of mocked it will panic with panic: interface conversion: *internal.TestWorkflowEnvironment is not client.Client: missing method CancelWorkflow.
I don't see a way to get a client.Client from the test workflow environment so the actual activity can be called but the code in the tests is written like the test environment should satisfy the interface.
s.env is passed in here:
https://github.com/temporalio/samples-go/blob/master/mutex/mutex_workflow_test.go#L30
And cast to client.Client here:
https://github.com/temporalio/samples-go/blob/master/mutex/mutex_workflow.go#L138
Perhaps this is why only the mock is called instead of the real activity to avoid the panic?
To Reproduce
I was attempting to write a unit test that uses the actual lock and mutex workflow code rather than the mocking the activity but I need some way to get a client.Client pointer from the test environment. For example writing a unit test for the sample workflow which calls the real mutex and activity code.
Expected behavior
Have the TestWorkflowEnvironment satisfy the client.Client interface or provide a way to fetch a pointer that does satisfy the interface when writing test suites or update the mutex test to explain why the actual activity can't be called.
Versions
- go.temporal.io/sdk v1.11.0
- go 1.17
Additional context
I wasn't sure if I should report this as a test bug or an SDK bug. Possibly both? Temporal is awesome BTW.
[Feature Request] Add sample for client TLS config
I was not able to find a sample on how to set up client options with TSL enabled.
Does not have to be running, could be just a config example that users can cut/paste, similar to what we have in java samples: https://github.com/temporalio/samples-java/blob/main/src/main/java/io/temporal/samples/ssl/SslEnabledWorker.java
Related user forum thread: https://community.temporal.io/t/help-how-to-create-a-client-with-tls/4287
Nightly CI against server and SDK `master`
In order to catch SDK-server incompatibilities ASAP, we should test integration of the latest version of these components.
Update sample should early exit if update is not enabled and provide instruction to enable.
samples-go/update/starter/main.go
Line 41 in b566001
this confused me as I thought update has gone through but it didn’t. Because update feature wasn’t enabled
I don’t think there is any value to omit the errors
Add test for NonRetryableErrors
As of today there are no integration level tests for NewNonRetryableApplicationError. This is a problem because we reference the feature in our docs and its a bit hard to find any info on it. '
We do have a test which specifies non-retryable errors: https://github.com/temporalio/sdk-go/blob/06e1ca56f3a286e072a048576b5e372ea0a497d6/internal/internal_workflow_testsuite_test.go#L2456
But seems to do so incorrectly:
Add sample for auth token
Show how to add auth tokens via header providers and/or gRPC dial options
[Feature Request] Add schedules example
Is your feature request related to a problem? Please describe.
Add examples showing how to use the new schedules feature
Remove illegal call to non-deterministic uuid library
Right now we call this uuid library directly in a workflow. We should do this in a side effect.
Line 68 in 14980b3
Add description to repo
Need someone with admin access to update the repo description.
Add workflow tests for synchronous-proxy
There are no samples that can demonstrate how to write tests when using the synchronous-proxy pattern.
go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0-20220909152124-c1ce1d25238b: 3 vulnerabilities (highest severity is: 6.1) - autoclosed
Vulnerable Library - go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0-20220909152124-c1ce1d25238b
Found in HEAD commit: d54b5f7bd51ab2c52ba1eb744b6f87ab9bc5596f
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-11022 |  Medium |
6.1 | golang.org/x/tools-v0.1.12 | Transitive | N/A* | ❌ |
| CVE-2015-9251 | Medium |
6.1 | golang.org/x/tools-v0.1.12 | Transitive | N/A* | ❌ |
| CVE-2012-6708 | Medium |
6.1 | golang.org/x/tools-v0.1.12 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2020-11022
Vulnerable Library - golang.org/x/tools-v0.1.12
Library home page: https://proxy.golang.org/golang.org/x/tools/@v/v0.1.12.zip
Dependency Hierarchy:
- go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0-20220909152124-c1ce1d25238b (Root Library)
- ❌ golang.org/x/tools-v0.1.12 (Vulnerable Library)
Found in HEAD commit: d54b5f7bd51ab2c52ba1eb744b6f87ab9bc5596f
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2015-9251
Vulnerable Library - golang.org/x/tools-v0.1.12
Library home page: https://proxy.golang.org/golang.org/x/tools/@v/v0.1.12.zip
Dependency Hierarchy:
- go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0-20220909152124-c1ce1d25238b (Root Library)
- ❌ golang.org/x/tools-v0.1.12 (Vulnerable Library)
Found in HEAD commit: d54b5f7bd51ab2c52ba1eb744b6f87ab9bc5596f
Found in base branch: main
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
CVE-2012-6708
Vulnerable Library - golang.org/x/tools-v0.1.12
Library home page: https://proxy.golang.org/golang.org/x/tools/@v/v0.1.12.zip
Dependency Hierarchy:
- go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0-20220909152124-c1ce1d25238b (Root Library)
- ❌ golang.org/x/tools-v0.1.12 (Vulnerable Library)
Found in HEAD commit: d54b5f7bd51ab2c52ba1eb744b6f87ab9bc5596f
Found in base branch: main
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc
YAML support for the Go language.
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-28948 |  High |
7.5 | github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc | Direct | 3.0.0 | ❌ |
Details
CVE-2022-28948
Vulnerable Library - github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc
YAML support for the Go language.
Dependency Hierarchy:
- ❌ github.com/go-yaml/yaml-496545a6307b2a7d7a710fd516e5e16e8ab62dbc (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
Publish Date: 2022-05-19
URL: CVE-2022-28948
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hp87-p4gw-j4gq
Release Date: 2022-05-19
Fix Resolution: 3.0.0
Change expense sample to use signal/cancel
Currently expense sample uses async activity. Per @mfateev, change to use signal/cancel instead.
Add TestActivityEnvironment sample
Is your feature request related to a problem? Please describe.
No example showing suite.NewTestActivityEnvironment
Describe the solution you'd like
Take any existing example and add an activity test to it
Add sample named "signals"
Non-critical UX improvement:
I find myself often looking for a quick example that uses signals. Since there is no sample named signals, I have to click around to find one that uses it.
Rewrite all samples using structs for activities
Activities can be implemented in a few different ways. The most robust and useful way is to implement them as structs (See temporalio/sdk-go#4). Samples still use legacy way and implement activities as single funcs.
All samples should be rewritten with structs.
go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0-20230413153418-eaa3802876de: 3 vulnerabilities (highest severity is: 6.1) - autoclosed
Vulnerable Library - go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0-20230413153418-eaa3802876de
Found in HEAD commit: b566001c1eb2f914a4ebb092aea4defaedb393cb
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-11022 |  Medium |
6.1 | golang.org/x/tools-v0.7.0 | Transitive | N/A* | ❌ |
| CVE-2015-9251 | Medium |
6.1 | golang.org/x/tools-v0.7.0 | Transitive | N/A* | ❌ |
| CVE-2012-6708 | Medium |
6.1 | golang.org/x/tools-v0.7.0 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2020-11022
Vulnerable Library - golang.org/x/tools-v0.7.0
Library home page: https://proxy.golang.org/golang.org/x/tools/@v/v0.7.0.zip
Dependency Hierarchy:
- go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0-20230413153418-eaa3802876de (Root Library)
- ❌ golang.org/x/tools-v0.7.0 (Vulnerable Library)
Found in HEAD commit: b566001c1eb2f914a4ebb092aea4defaedb393cb
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2015-9251
Vulnerable Library - golang.org/x/tools-v0.7.0
Library home page: https://proxy.golang.org/golang.org/x/tools/@v/v0.7.0.zip
Dependency Hierarchy:
- go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0-20230413153418-eaa3802876de (Root Library)
- ❌ golang.org/x/tools-v0.7.0 (Vulnerable Library)
Found in HEAD commit: b566001c1eb2f914a4ebb092aea4defaedb393cb
Found in base branch: main
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
CVE-2012-6708
Vulnerable Library - golang.org/x/tools-v0.7.0
Library home page: https://proxy.golang.org/golang.org/x/tools/@v/v0.7.0.zip
Dependency Hierarchy:
- go.temporal.io/sdk/contrib/tools/workflowcheck-v0.0.0-20230413153418-eaa3802876de (Root Library)
- ❌ golang.org/x/tools-v0.7.0 (Vulnerable Library)
Found in HEAD commit: b566001c1eb2f914a4ebb092aea4defaedb393cb
Found in base branch: main
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Add sample for continue-as-new with signals
Need to demonstrate how to drain signals before running continue as new
[Feature Request] Add a sample with opentelemetry tracing
It would be awesome to have an example of using opentelemetry tracing with the go sdk.
Thank you!
Remove cryptconverter sample and migrate encrypted-payloads sample
Is your feature request related to a problem? Please describe.
cryptconverter is outdated and encrypted-payloads is a full data converter instead of payload encoder.
Describe the solution you'd like
Remove cryptconverter sample and migrate encrypted-payloads sample to a payload encoder
worker panic during cancelactivity sample
(copying template from sdk-go)
Expected Behavior
I expected the workflow to cancel without error.
Actual Behavior
The worker outputs this panic to its log:
2020/11/27 16:45:15 ERROR ProcessEvent panic. Namespace default TaskQueue cancel-activity WorkerID [email protected]@ WorkflowType Workflow WorkflowID workflowID-to-cancel RunID 8ac27f54-2837-4ed9-95bf-6a316b84b58a PanicError unknown command CommandType: Activity, ID: 16, possible causes are nondeterministic workflow definition code or incompatible change in the workflow definition PanicStack process event for cancel-activity [panic]:
go.temporal.io/sdk/internal.panicIllegalState(...)
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_decision_state_machine.go:354
go.temporal.io/sdk/internal.(*commandsHelper).getCommand(0xc0004005c0, 0xc000000000, 0xc000038110, 0x2, 0x1842c91, 0x10)
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_decision_state_machine.go:742 +0x265
go.temporal.io/sdk/internal.(*commandsHelper).handleActivityTaskClosed(0xc0004005c0, 0xc000038110, 0x2, 0x10, 0x10, 0x10697bb)
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_decision_state_machine.go:780 +0x4b
go.temporal.io/sdk/internal.(*workflowExecutionEventHandlerImpl).handleActivityTaskCompleted(0xc00040aa80, 0xc000187280, 0xc0004902f0, 0x2)
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_event_handlers.go:968 +0x78
go.temporal.io/sdk/internal.(*workflowExecutionEventHandlerImpl).ProcessEvent(0xc00040aa80, 0xc000187280, 0x3bc4e0000, 0x0, 0x0)
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_event_handlers.go:811 +0x4a5
go.temporal.io/sdk/internal.(*workflowExecutionContextImpl).ProcessWorkflowTask(0xc00043a2d0, 0xc000614210, 0x2032f80, 0xc0003ac5b0, 0xc00043a2d0, 0x0)
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:888 +0xc1c
go.temporal.io/sdk/internal.(*workflowTaskHandlerImpl).ProcessWorkflowTask(0xc000167600, 0xc000614210, 0xc0000a34d0, 0x0, 0x0, 0x0, 0x0)
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:778 +0x4b6
go.temporal.io/sdk/internal.(*workflowTaskPoller).processWorkflowTask(0xc0001a7860, 0xc000614210, 0x0, 0x0)
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_pollers.go:286 +0x464
go.temporal.io/sdk/internal.(*workflowTaskPoller).ProcessTask(0xc0001a7860, 0x18deb40, 0xc000614210, 0x1b32720, 0xc000046780)
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_pollers.go:259 +0x85
go.temporal.io/sdk/internal.(*baseWorker).processTask(0xc0003c8000, 0x18de740, 0xc0001f2930)
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_worker_base.go:343 +0xba
created by go.temporal.io/sdk/internal.(*baseWorker).runTaskDispatcher
/Users/alfred/src/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_worker_base.go:270 +0xff
Steps to Reproduce the Problem
- Install the docker-compose setup using current release, which uses
temporalio/auto-setup:1.3.2. - Clone the samples-go repo at current master (commit 7e1d52d )
- Follow instructions for cancelactivity sample:
go run cancelactivity/worker/main.go,go run cancelactivity/starter/main.go,go run cancelactivity/cancel/main.go -wid workflowID-to-cancel.
Specifications
I'm using MacOS (Big Sur), docker-compose version 1.27.4.
Setup buildkite integration
Samples have few static checks and unit tests. We should run all of them to validate build the same way as we do for other repos. Just simple make call will be good enough.
Not sure if we want to setup coverage also.
[Doc] Explain why goroutine sample is threadsafe
What are you really trying to do?
I'm learning how to use workflow.Go.
Reading the goroutine sample code I thought there was a race condition, as multiple concurrent goroutines are calling append on the same slice in the outer scope.
See: https://github.com/temporalio/samples-go/blob/main/goroutine/goroutine_workflow.go
i.e.
var results []string
...
workflow.Go(ctx, func(gCtx workflow.Context) {
...
results = append(results, result2)
})
It turns out that this isn't a race condition, as workflow.Go is different than a goroutine, so it's probably worth explaining this difference in the sample.
Decoding fails when there is no cryptconverter.PropagateKey in the cryptconverter sample
I want to be able to selectively decide if my workflow is to have its payloads encrypted. I am using the following sample project as a starter to prove I can do it.
samples-go/cryptconverter at master · temporalio/samples-go (github.com)
The following code is where I am focusing in on.
ctx := context.Background()
//ctx = context.WithValue(ctx, cryptconverter.PropagateKey, cryptconverter.CryptContext{KeyId: "test"})
// The workflow input "My Secret Friend" will be encrypted by the DataConverter before being sent to Temporal
we, err := c.ExecuteWorkflow(
ctx,
workflowOptions,
cryptconverter.Workflow,
"My Secret Friend",
)It should be easy as not putting in the the following;
ctx = context.WithValue(ctx, cryptconverter.PropagateKey, cryptconverter.CryptContext{KeyId: "test"})The code in the sample does account for it not being there but I am running into a json.Unmarshal error when I remove it.
{
"message": "unable to decode the workflow function input payload with error: args[0]: unable to decode: json: cannot unmarshal array into Go value of type string, function name: Workflow",
"source": "GoSDK",
"stackTrace": "",
"cause": {
"message": "args[0]: unable to decode: json: cannot unmarshal array into Go value of type string",
"source": "GoSDK",
"stackTrace": "",
"cause": {
"message": "unable to decode: json: cannot unmarshal array into Go value of type string",
"source": "GoSDK",
"stackTrace": "",
"cause": {
"message": "unable to decode",
"source": "GoSDK",
"stackTrace": "",
"cause": null,
"applicationFailureInfo": {
"type": "",
"nonRetryable": false,
"details": null
},
"failureInfo": "applicationFailureInfo"
},
"applicationFailureInfo": {
"type": "wrapError",
"nonRetryable": false,
"details": null
},
"failureInfo": "applicationFailureInfo"
},
"applicationFailureInfo": {
"type": "wrapError",
"nonRetryable": false,
"details": null
},
"failureInfo": "applicationFailureInfo"
},
"applicationFailureInfo": {
"type": "wrapError",
"nonRetryable": false,
"details": null
},
"failureInfo": "applicationFailureInfo"
}
In summary, I simply commented out the line that puts the cryptconverter.PropagateKey into the ExecuteWorkflow context.
github.com/temporalio/sdk-go/contrib/tools/workflowcheck-b06c84ab2608fae617fe4d6d128d1018c828ae13: 3 vulnerabilities (highest severity is: 6.1) - autoclosed
Vulnerable Library - github.com/temporalio/sdk-go/contrib/tools/workflowcheck-b06c84ab2608fae617fe4d6d128d1018c828ae13
Found in HEAD commit: f334c489674c9ad224a791ced3eeec047e64e4ce
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (github.com/temporalio/sdk-go/contrib/tools/workflowcheck-b06c84ab2608fae617fe4d6d128d1018c828ae13 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-11022 | Medium |
6.1 | golang.org/x/tools-v0.1.12 | Transitive | N/A* | ❌ |
| CVE-2015-9251 |  Low |
3.7 | golang.org/x/tools-v0.1.12 | Transitive | N/A* | ❌ |
| CVE-2012-6708 | Low |
3.7 | golang.org/x/tools-v0.1.12 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2020-11022
Vulnerable Library - golang.org/x/tools-v0.1.12
Library home page: https://proxy.golang.org/golang.org/x/tools/@v/v0.1.12.zip
Dependency Hierarchy:
- github.com/temporalio/sdk-go/contrib/tools/workflowcheck-b06c84ab2608fae617fe4d6d128d1018c828ae13 (Root Library)
- ❌ golang.org/x/tools-v0.1.12 (Vulnerable Library)
Found in HEAD commit: f334c489674c9ad224a791ced3eeec047e64e4ce
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2015-9251
Vulnerable Library - golang.org/x/tools-v0.1.12
Library home page: https://proxy.golang.org/golang.org/x/tools/@v/v0.1.12.zip
Dependency Hierarchy:
- github.com/temporalio/sdk-go/contrib/tools/workflowcheck-b06c84ab2608fae617fe4d6d128d1018c828ae13 (Root Library)
- ❌ golang.org/x/tools-v0.1.12 (Vulnerable Library)
Found in HEAD commit: f334c489674c9ad224a791ced3eeec047e64e4ce
Found in base branch: main
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
CVE-2012-6708
Vulnerable Library - golang.org/x/tools-v0.1.12
Library home page: https://proxy.golang.org/golang.org/x/tools/@v/v0.1.12.zip
Dependency Hierarchy:
- github.com/temporalio/sdk-go/contrib/tools/workflowcheck-b06c84ab2608fae617fe4d6d128d1018c828ae13 (Root Library)
- ❌ golang.org/x/tools-v0.1.12 (Vulnerable Library)
Found in HEAD commit: f334c489674c9ad224a791ced3eeec047e64e4ce
Found in base branch: main
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Add sample for bidirectional req/resp
Add a sample that shows the following methods of bidirectional communication:
- Signal + query poll
- Local side: Send signal with ID to do something
- Remote side: Store something with said ID and have query handler return said something when queried with ID
- Local side: Query regularly to get result
- Signal + remote activity schedule
- Local side: Have centralized notifier that has an activity to notify a waiting listener
- Local side: Create ID-based listener on notifier and then send signal with task queue and ID
- Remote side: Do something and start activity on given task queue and ID
go.temporal.io/server-v1.15.2: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - go.temporal.io/server-v1.15.2
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Found in HEAD commit: d54b5f7bd51ab2c52ba1eb744b6f87ab9bc5596f
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (go.temporal.io/server-v1.15.2 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-39325 |  High |
7.5 | golang.org/x/net-v0.14.0 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-39325
Vulnerable Library - golang.org/x/net-v0.14.0
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.14.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
- go.temporal.io/server-v1.15.2 (Root Library)
- github.com/uber/tchannel-go-v1.22.2
- ❌ golang.org/x/net-v0.14.0 (Vulnerable Library)
- github.com/uber/tchannel-go-v1.22.2
Found in HEAD commit: d54b5f7bd51ab2c52ba1eb744b6f87ab9bc5596f
Found in base branch: main
Vulnerability Details
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Publish Date: 2023-10-11
URL: CVE-2023-39325
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2023-2102
Release Date: 2023-10-11
Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0
[Feature Request] search demo using golang zinc
Zinc is a golang implementation of elastic. It uses the Bluge golang packages.
https://github.com/zinclabs/zinc
It’s not yet api compatible but much faster than elastic.
it would be cool if we can make the same example demo in this repo have the option to use zinc.
zinc has no other run time dependency like a db etc so it should be easy to embed zinc if we want to go that far
Reporting a vulnerability
Hello!
I hope you are doing well!
We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.
Can you enable it, so that we can report it?
Thanks in advance!
PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Add sample that uses `Selector.AddSend`
The docs currently say:
// The sending message to the channel is expected to be done by the callback function
But this is unclear.
github.com/cretz/temporal-sdk-go/contrib/tools/workflowcheck: 3 vulnerabilities (highest severity is: 6.1) - autoclosed
Vulnerable Library - github.com/cretz/temporal-sdk-go/contrib/tools/workflowcheck
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-11022 | Medium |
6.1 | github.com/golang/tools-v0.1.8 | Transitive | N/A | ❌ |
| CVE-2012-6708 | Medium |
6.1 | github.com/golang/tools-v0.1.8 | Transitive | N/A | ❌ |
| CVE-2015-9251 | Low |
3.7 | github.com/golang/tools-v0.1.8 | Transitive | N/A | ❌ |
Details
CVE-2020-11022
Vulnerable Library - github.com/golang/tools-v0.1.8
[mirror] Go Tools
Dependency Hierarchy:
- github.com/cretz/temporal-sdk-go/contrib/tools/workflowcheck (Root Library)
- ❌ github.com/golang/tools-v0.1.8 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2012-6708
Vulnerable Library - github.com/golang/tools-v0.1.8
[mirror] Go Tools
Dependency Hierarchy:
- github.com/cretz/temporal-sdk-go/contrib/tools/workflowcheck (Root Library)
- ❌ github.com/golang/tools-v0.1.8 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
CVE-2015-9251
Vulnerable Library - github.com/golang/tools-v0.1.8
[mirror] Go Tools
Dependency Hierarchy:
- github.com/cretz/temporal-sdk-go/contrib/tools/workflowcheck (Root Library)
- ❌ github.com/golang/tools-v0.1.8 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
github.com/uber-go/tally/v4-v4.1.1: 2 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - github.com/uber-go/tally/v4-v4.1.1
A Go metrics interface with fast buffered metrics and third party reporters
Library home page: https://proxy.golang.org/github.com/uber-go/tally/v4/@v/v4.1.1.zip
Found in HEAD commit: f334c489674c9ad224a791ced3eeec047e64e4ce
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (github.com/uber-go/tally/v4-v4.1.1 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2019-0205 | High |
7.5 | github.com/uber-go/tally/v4-v4.1.1 | Direct | org.apache.thrift:libthrift:0.13.0 | ❌ |
| CVE-2019-0210 | High |
7.5 | github.com/uber-go/tally/v4-v4.1.1 | Direct | 0.13.0 | ❌ |
Details
CVE-2019-0205
Vulnerable Library - github.com/uber-go/tally/v4-v4.1.1
A Go metrics interface with fast buffered metrics and third party reporters
Library home page: https://proxy.golang.org/github.com/uber-go/tally/v4/@v/v4.1.1.zip
Dependency Hierarchy:
- ❌ github.com/uber-go/tally/v4-v4.1.1 (Vulnerable Library)
Found in HEAD commit: f334c489674c9ad224a791ced3eeec047e64e4ce
Found in base branch: main
Vulnerability Details
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Publish Date: 2019-10-29
URL: CVE-2019-0205
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205
Release Date: 2019-10-29
Fix Resolution: org.apache.thrift:libthrift:0.13.0
CVE-2019-0210
Vulnerable Library - github.com/uber-go/tally/v4-v4.1.1
A Go metrics interface with fast buffered metrics and third party reporters
Library home page: https://proxy.golang.org/github.com/uber-go/tally/v4/@v/v4.1.1.zip
Dependency Hierarchy:
- ❌ github.com/uber-go/tally/v4-v4.1.1 (Vulnerable Library)
Found in HEAD commit: f334c489674c9ad224a791ced3eeec047e64e4ce
Found in base branch: main
Vulnerability Details
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
Publish Date: 2019-10-29
URL: CVE-2019-0210
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-10-29
Fix Resolution: 0.13.0
Interceptor Samples
Once temporalio/proposals#45 and temporalio/sdk-go#529 are complete, there should be a sample for interceptors.
File Processing: No cached result found for side effectID
While running the file processing sample, I encounter lookup failed for scheduledID to activityID: scheduleID: 30, activity: 29, and No cached result found for side effectID=6. KnownSideEffects=[5] error messages. These errors are reported by all fileprocessing workers:
Stack trace:
2020-06-16T11:10:51.513-0400 ERROR internal/internal_task_handlers.go:1468 Workflow panic. {"Namespace": "default", "TaskList": "fileprocessing", "WorkerID": "3221@OCTOTHUMP@", "WorkflowID": "fileprocessing_be9e7506-293a-4168-a85d-b405d7004446", "RunID": "e1597d5a-f66f-40d3-b33e-367055890c9f", "PanicError": "lookup failed for scheduledID to activityID: scheduleID: 30, activity: 29", "PanicStack": "process event for fileprocessing [panic]:\ngo.temporal.io/temporal/internal.panicIllegalState(...)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_decision_state_machine.go:345\ngo.temporal.io/temporal/internal.(*decisionsHelper).handleActivityTaskScheduled(0xc00011e2c0, 0x1e, 0xc000482950, 0x2)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_decision_state_machine.go:776 +0x175\ngo.temporal.io/temporal/internal.(*workflowExecutionEventHandlerImpl).ProcessEvent(0xc000490500, 0xc00049b600, 0x1, 0x0, 0x0)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_event_handlers.go:802 +0x579\ngo.temporal.io/temporal/internal.(*workflowExecutionContextImpl).ProcessWorkflowTask(0xc00001e000, 0xc000155290, 0x1436b00, 0xc00048fc80,
0xc00001e000, 0x0)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:871 +0xee0\ngo.temporal.io/temporal/internal.(*workflowTaskHandlerImpl).ProcessWorkflowTask(0xc000248be0, 0xc000155290, 0xc000509e90, 0x0, 0x0, 0x0, 0x0)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:770 +0x4b0\ngo.temporal.io/temporal/internal.(*workflowTaskPoller).processWorkflowTask(0xc00022e240, 0xc000155290, 0x0, 0x0)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_pollers.go:285 +0x430\ngo.temporal.io/temporal/internal.(*workflowTaskPoller).ProcessTask(0xc00022e240, 0xbd50c0, 0xc000155290, 0x0, 0x0)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_pollers.go:258 +0x7f\ngo.temporal.io/temporal/internal.(*baseWorker).processTask(0xc000416000, 0xbd4bc0, 0xc0000b4610)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_worker_base.go:307 +0xe0\ncreated by go.temporal.io/temporal/internal.(*baseWorker).runTaskDispatcher\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_worker_base.go:254 +0xff"}
go.temporal.io/temporal/internal.(*workflowTaskHandlerImpl).completeWorkflow
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:1468
go.temporal.io/temporal/internal.(*workflowExecutionContextImpl).CompleteDecisionTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:1088
go.temporal.io/temporal/internal.(*workflowExecutionContextImpl).ProcessWorkflowTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:946
go.temporal.io/temporal/internal.(*workflowTaskHandlerImpl).ProcessWorkflowTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:770
go.temporal.io/temporal/internal.(*workflowTaskPoller).processWorkflowTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_pollers.go:285
go.temporal.io/temporal/internal.(*workflowTaskPoller).ProcessTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_pollers.go:258
go.temporal.io/temporal/internal.(*baseWorker).processTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_worker_base.go:307
2020-06-16T11:11:01.546-0400 ERROR internal/internal_task_handlers.go:1468 Workflow panic. {"Namespace": "default", "TaskList": "fileprocessing", "WorkerID": "3221@OCTOTHUMP@", "WorkflowID": "fileprocessing_be9e7506-293a-4168-a85d-b405d7004446", "RunID": "e1597d5a-f66f-40d3-b33e-367055890c9f", "PanicError": "No cached result found for side effectID=6. KnownSideEffects=[5]", "PanicStack": "coroutine 1 [panic]:\ngo.temporal.io/temporal/internal.(*workflowEnvironmentImpl).SideEffect(0xc000246000, 0xc000238bd0, 0xc000238c00)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_event_handlers.go:636 +0x816\ngo.temporal.io/temporal/internal.(*workflowEnvironmentInterceptor).SideEffect(0xc0002387b0, 0xe651a0, 0xc000238ae0, 0xd7b050, 0xc0002387b0, 0xc000116750)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/workflow.go:1131 +0x1e4\ngo.temporal.io/temporal/internal.SideEffect(0xe651a0, 0xc000238ae0, 0xd7b050, 0xe3ec70,
0x0)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/workflow.go:1118 +0xab\ngo.temporal.io/temporal/internal.generateSessionID(0xe651a0, 0xc000238ae0, 0xe3ec70, 0x0, 0x0, 0x0)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/session.go:376 +0x5f\ngo.temporal.io/temporal/internal.createSession(0xe651a0, 0xc000238ae0, 0xc00007ec60, 0x29, 0xc00046f790, 0xc00007ec01, 0x29, 0x0, 0xe4e8e0, 0xc0002568a0)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/session.go:285 +0x10f\ngo.temporal.io/temporal/internal.CreateSession(0xe651a0, 0xc000238ae0, 0xc00046f790, 0x0, 0x0, 0xe4e8e0, 0xc0002568a0)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/session.go:189 +0xf0\ngo.temporal.io/temporal/workflow.CreateSession(...)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/workflow/session.go:103\ngithub.com/temporalio/temporal-go-samples/fileprocessing.processFile(0xe651a0, 0xc000238ae0, 0xc00007ec00, 0x24, 0x0, 0x0)\n\t/mnt/c/Users/Steve/projects/src/github.com/temporalio/temporal-go-samples/fileprocessing/workflow.go:52 +0xa5\ngithub.com/temporalio/temporal-go-samples/fileprocessing.SampleFileProcessingWorkflow(0xe64fa0, 0xc00051c500, 0xc00007ec00, 0x24, 0x0, 0x0)\n\t/mnt/c/Users/Steve/projects/src/github.com/temporalio/temporal-go-samples/fileprocessing/workflow.go:32 +0x1e7\nreflect.Value.call(0xc21940, 0xd7af50, 0x13, 0xd3eb0a, 0x4, 0xc000238a80, 0x2, 0x2, 0x2, 0x18, ...)\n\t/usr/local/go/src/reflect/value.go:460 +0x8ab\nreflect.Value.Call(0xc21940, 0xd7af50, 0x13, 0xc000238a80, 0x2, 0x2, 0x1, 0x2, 0xc0002387b0)\n\t/usr/local/go/src/reflect/value.go:321 +0xb4\ngo.temporal.io/temporal/internal.(*workflowEnvironmentInterceptor).ExecuteWorkflow(0xc0002387b0, 0xe64fa0, 0xc00051c500, 0xc0000d62e0, 0x1c, 0xc0001166f0, 0x1, 0x1, 0x0, 0x0, ...)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/workflow.go:369 +0x2b2\ngo.temporal.io/temporal/internal.(*workflowExecutor).Execute(0xc00051c400, 0xe64fa0, 0xc00051c500, 0xc000491440, 0xc000066f38, 0xb5b306, 0x0)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_worker.go:854 +0x334\ngo.temporal.io/temporal/internal.(*syncWorkflowDefinition).Execute.func1(0xe651a0, 0xc000238a50)\n\t/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_workflow.go:467 +0xf3"}
go.temporal.io/temporal/internal.(*workflowTaskHandlerImpl).completeWorkflow
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:1468
go.temporal.io/temporal/internal.(*workflowExecutionContextImpl).CompleteDecisionTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:1088
go.temporal.io/temporal/internal.(*workflowExecutionContextImpl).ProcessWorkflowTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:946
go.temporal.io/temporal/internal.(*workflowTaskHandlerImpl).ProcessWorkflowTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_handlers.go:770
go.temporal.io/temporal/internal.(*workflowTaskPoller).processWorkflowTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_pollers.go:285
go.temporal.io/temporal/internal.(*workflowTaskPoller).ProcessTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_task_pollers.go:258
go.temporal.io/temporal/internal.(*baseWorker).processTask
/home/steve/go/pkg/mod/go.temporal.io/[email protected]/internal/internal_worker_base.go:307
When I try to view the workflow from the web_ui, I see a red error banner across the top of the page with String contains an invalid character .
I've deployed temporal from the latest docker-compose-mysql file (0.23.1), and I've tried updating go.temporal.io/temporal to newer versions in go.mod, but I continue to get the same error messages.
All non session API samples are working properly.
[Feature Request] Add support for codespaces/devcontainers for easy local development
Is your feature request related to a problem? Please describe.
VScode has a cool feature called Remote Containers. It would be nice to leverage this so developers can spin up a temporal service right on their local machines for easy development.
Describe the solution you'd like
I'd like to take the same gitpod docker-compose.yml file and modify it to work with VScode remote containers.
Additional context
I will submit a pull request for this very soon.
TLS/mTLS/cloud sample
Describe the solution you'd like
Need a sample showing how to connect with TLS
Create an easy way to run all the samples
Create make target to run all the samples, given a frontend endpoint (e. g. FRONTEND_ADDRESS=127.0.0.1:7233 make run). Integrate it with #15.
This will enable two use cases:
- a dev making change on their machine, and wanting to make sure things still work before submitting a PR
- CI/CD pipeline running samples against a staging environment as part of its validation of the repo (and, indirectly, of the code deployed to the staging environment).
Add integration tests to samples
Separate directory like test should contains integration tests for every sample and #15 should run them.
`make` currently failed at `staticcheck` step
make currently failed at staticcheck step:
Line 3 in b49280d
If remove staticcheck by changing to
install: clean errcheck workflowcheck bins testIt will pass.
Here is the error log:
> make && ./bin/helloworld -m worker
rm -rf bin
Run static check...
# honnef.co/go/tools/go/types/typeutil
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:26:12: syntax error: unexpected any, expecting ]
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:30:13: syntax error: unexpected [, expecting comma or )
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:31:13: syntax error: unexpected [, expecting comma or )
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:35:3: syntax error: non-declaration statement outside function body
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:40:13: syntax error: unexpected [, expecting comma or )
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:41:13: syntax error: unexpected [, expecting comma or )
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:42:13: syntax error: unexpected [, expecting comma or )
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:43:48: method has multiple receivers
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:43:48: syntax error: unexpected {, expecting name or (
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:49:13: syntax error: unexpected [, expecting comma or )
../../../go/src/honnef.co/go/tools/go/types/typeutil/upstream.go:49:13: too many errors
# honnef.co/go/tools/knowledge
../../../go/src/honnef.co/go/tools/knowledge/signatures.go:9:22: undefined: types.NewSignatureType
../../../go/src/honnef.co/go/tools/knowledge/signatures.go:21:23: undefined: types.NewSignatureType
../../../go/src/honnef.co/go/tools/knowledge/signatures.go:32:35: undefined: types.NewSignatureType
../../../go/src/honnef.co/go/tools/knowledge/signatures.go:43:42: undefined: types.NewSignatureType
../../../go/src/honnef.co/go/tools/knowledge/signatures.go:52:43: undefined: types.NewSignatureType
../../../go/src/honnef.co/go/tools/knowledge/signatures.go:61:27: undefined: types.NewSignatureType
# honnef.co/go/tools/go/ast/astutil
../../../go/src/honnef.co/go/tools/go/ast/astutil/util.go:133:8: undefined: ast.IndexListExpr
../../../go/src/honnef.co/go/tools/go/ast/astutil/util.go:136:12: cannot assign ast.Expr to cp.X in multiple assignment
../../../go/src/honnef.co/go/tools/go/ast/astutil/util.go:141:22: cannot assign ast.Expr to cp.Indices[i] in multiple assignment
../../../go/src/honnef.co/go/tools/go/ast/astutil/util.go:281:8: undefined: ast.IndexListExpr
../../../go/src/honnef.co/go/tools/go/ast/astutil/util.go:282:12: undefined: ast.IndexListExpr
# honnef.co/go/tools/pattern
../../../go/src/honnef.co/go/tools/pattern/convert.go:16:35: undefined: ast.IndexListExpr
../../../go/src/honnef.co/go/tools/pattern/convert.go:138:9: assignment mismatch: 2 variables but 1 value
../../../go/src/honnef.co/go/tools/pattern/match.go:88:25: undefined: any
# honnef.co/go/tools/go/loader
../../../go/src/honnef.co/go/tools/go/loader/loader.go:233:4: unknown field 'Instances' in struct literal of type types.Info
make: *** [staticcheck] Error 2[Feature Request] Porting polling samples from Java examples
Is your feature request related to a problem? Please describe.
Java examples of SDK usage contain an useful example of how to implement polling activities:
- Frequently Polling Activity
- Infrequently Polling Activity
- Periodic Polling of a sequence of activities
The samples are based on this
community forum thread.
Describe the solution you'd like
It would be very useful to bring them to Go examples as well.
Add sample for snappy compression converter
Using new encoding converter, show an example of snappy compression
unable to find activityType=downloadFileActivity
When I try to run the fileprocessing demo, the workflow fails with the worker logging:
2020-04-27T18:38:21.028-0600 INFO internal/internal_worker_base.go:308 Task processing failed with error {"Namespace": "default", "TaskList": "fileprocessing-task-list", "WorkerID": "[email protected]@", "WorkerType": "ActivityWorker", "error": "unable to find activityType=downloadFileActivity. Supported types: [internalSessionCompletionActivity, internalSessionCreationActivity]"}
2020-04-27T18:39:27.153-0600 INFO internal/internal_worker_base.go:306 Task processing failed with client side error {"Namespace": "default", "TaskList": "fileprocessing-task-list", "WorkerID": "[email protected]@", "WorkerType": "ActivityWorker", "error": "context deadline exceeded"}
fileprocessing_811af268 0f36 4b70 8d75 dfd59ef4f519 - 457ab4e5-86a3-4563-8d49-f40f0299ceba.json.zip
Update metrics sample with newer Prometheus suggestions
Describe the solution you'd like
When temporalio/sdk-go#756 is released, apply this:
diff --git a/metrics/worker/main.go b/metrics/worker/main.go
index c1dc254..e3dde80 100644
--- a/metrics/worker/main.go
+++ b/metrics/worker/main.go
@@ -53,35 +53,12 @@ func newPrometheusScope(c prometheus.Configuration) tally.Scope {
scopeOpts := tally.ScopeOptions{
CachedReporter: reporter,
Separator: prometheus.DefaultSeparator,
- SanitizeOptions: &sanitizeOptions,
+ SanitizeOptions: &sdktally.PrometheusSanitizeOptions,
Prefix: "temporal_samples",
}
scope, _ := tally.NewRootScope(scopeOpts, time.Second)
+ scope = sdktally.NewPrometheusNamingScope(scope)
log.Println("prometheus metrics scope created")
return scope
}
-
-// tally sanitizer options that satisfy Prometheus restrictions.
-// This will rename metrics at the tally emission level, so metrics name we
-// use maybe different from what gets emitted. In the current implementation
-// it will replace - and . with _
-var (
- safeCharacters = []rune{'_'}
-
- sanitizeOptions = tally.SanitizeOptions{
- NameCharacters: tally.ValidCharacters{
- Ranges: tally.AlphanumericRange,
- Characters: safeCharacters,
- },
- KeyCharacters: tally.ValidCharacters{
- Ranges: tally.AlphanumericRange,
- Characters: safeCharacters,
- },
- ValueCharacters: tally.ValidCharacters{
- Ranges: tally.AlphanumericRange,
- Characters: safeCharacters,
- },
- ReplacementCharacter: tally.DefaultReplacementCharacter,
- }
-)gopkg.in/square/go-jose.v2-v2.6.0: 2 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - gopkg.in/square/go-jose.v2-v2.6.0
Found in HEAD commit: d54b5f7bd51ab2c52ba1eb744b6f87ab9bc5596f
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (gopkg.in/square/go-jose.v2-v2.6.0 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-27191 | High |
7.5 | golang.org/x/crypto-v0.0.0-20211108221036-ceb1ce70b4fa | Transitive | N/A* | ❌ |
| CVE-2021-43565 | High |
7.5 | golang.org/x/crypto-v0.0.0-20211108221036-ceb1ce70b4fa | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-27191
Vulnerable Library - golang.org/x/crypto-v0.0.0-20211108221036-ceb1ce70b4fa
Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20211108221036-ceb1ce70b4fa.zip
Dependency Hierarchy:
- gopkg.in/square/go-jose.v2-v2.6.0 (Root Library)
- ❌ golang.org/x/crypto-v0.0.0-20211108221036-ceb1ce70b4fa (Vulnerable Library)
Found in HEAD commit: d54b5f7bd51ab2c52ba1eb744b6f87ab9bc5596f
Found in base branch: main
Vulnerability Details
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-27191
Release Date: 2022-03-18
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20220315.3147a52-1;golang-go.crypto-dev - 1:0.0~git20220315.3147a52-1
CVE-2021-43565
Vulnerable Library - golang.org/x/crypto-v0.0.0-20211108221036-ceb1ce70b4fa
Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20211108221036-ceb1ce70b4fa.zip
Dependency Hierarchy:
- gopkg.in/square/go-jose.v2-v2.6.0 (Root Library)
- ❌ golang.org/x/crypto-v0.0.0-20211108221036-ceb1ce70b4fa (Vulnerable Library)
Found in HEAD commit: d54b5f7bd51ab2c52ba1eb744b6f87ab9bc5596f
Found in base branch: main
Vulnerability Details
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
Publish Date: 2022-09-06
URL: CVE-2021-43565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565
Release Date: 2021-11-10
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1
[Bug] Samples-go do not build on server 1.20.1
What are you really trying to do?
Update server dependency to latest fails because some packages have been moved/removed from the server
go: finding module for package go.temporal.io/server/tools/cli/plugin
github.com/temporalio/samples-go/snappycompress/plugin imports
go.temporal.io/server/tools/cli/plugin: module go.temporal.io/server@latest found (v1.20.1), but does not contain package go.temporal.io/server/tools/cli/plugin
[Bug] Cancel in pickfirst sample is not working
Describe the bug
Not sure if it's a bug. In the pickfirst sample, when the activity with short duration (1s) completes, the workflow cancels but the activity with longer duration (2s) fails to exit.
To Reproduce
Steps to reproduce the behavior:
- To debug, increase the duration for the 1st activity to 5 seconds:
f1 := workflow.ExecuteActivity(childCtx, SampleActivity, 0, 5*time.Second) - Add a log to activity code to show when cancel is not working:
select {
case <-ctx.Done():
// We have been cancelled.
msg := fmt.Sprintf("Branch %d is cancelled.", currentBranchID)
logger.Info(msg)
return msg, ctx.Err()
default:
logger.Info("not cancelled yet")
// We are not cancelled yet.
}
- f1 is not cancelled until 5 seconds elapsed. worker logs:
2021/06/06 09:03:06 INFO No logger configured for temporal client. Created default one.
2021/06/06 09:03:06 INFO Started Worker Namespace default TaskQueue pick-first WorkerID 66831@bogon@
2021/06/06 09:03:17 DEBUG ExecuteActivity Namespace default TaskQueue pick-first WorkerID 66831@bogon@ WorkflowType SamplePickFirstWorkflow WorkflowID pick-first_0c62bebb-bada-4110-ba32-26cdd942257b RunID 9663ba53-c621-46aa-b418-4598e1050874 Attempt 1 ActivityID 5 ActivityType SampleActivity
2021/06/06 09:03:17 DEBUG ExecuteActivity Namespace default TaskQueue pick-first WorkerID 66831@bogon@ WorkflowType SamplePickFirstWorkflow WorkflowID pick-first_0c62bebb-bada-4110-ba32-26cdd942257b RunID 9663ba53-c621-46aa-b418-4598e1050874 Attempt 1 ActivityID 6 ActivityType SampleActivity
2021/06/06 09:03:18 INFO not cancelled yet Namespace default TaskQueue pick-first WorkerID 66831@bogon@ ActivityID 6 ActivityType SampleActivity Attempt 1 WorkflowType SamplePickFirstWorkflow WorkflowID pick-first_0c62bebb-bada-4110-ba32-26cdd942257b RunID 9663ba53-c621-46aa-b418-4598e1050874
2021/06/06 09:03:18 INFO not cancelled yet Namespace default TaskQueue pick-first WorkerID 66831@bogon@ ActivityID 5 ActivityType SampleActivity Attempt 1 WorkflowType SamplePickFirstWorkflow WorkflowID pick-first_0c62bebb-bada-4110-ba32-26cdd942257b RunID 9663ba53-c621-46aa-b418-4598e1050874
2021/06/06 09:03:18 DEBUG RequestCancelActivity Namespace default TaskQueue pick-first WorkerID 66831@bogon@ WorkflowType SamplePickFirstWorkflow WorkflowID pick-first_0c62bebb-bada-4110-ba32-26cdd942257b RunID 9663ba53-c621-46aa-b418-4598e1050874 Attempt 1 ActivityID 5
2021/06/06 09:03:19 INFO not cancelled yet Namespace default TaskQueue pick-first WorkerID 66831@bogon@ ActivityID 5 ActivityType SampleActivity Attempt 1 WorkflowType SamplePickFirstWorkflow WorkflowID pick-first_0c62bebb-bada-4110-ba32-26cdd942257b RunID 9663ba53-c621-46aa-b418-4598e1050874
2021/06/06 09:03:20 INFO not cancelled yet Namespace default TaskQueue pick-first WorkerID 66831@bogon@ ActivityID 5 ActivityType SampleActivity Attempt 1 WorkflowType SamplePickFirstWorkflow WorkflowID pick-first_0c62bebb-bada-4110-ba32-26cdd942257b RunID 9663ba53-c621-46aa-b418-4598e1050874
2021/06/06 09:03:21 INFO not cancelled yet Namespace default TaskQueue pick-first WorkerID 66831@bogon@ ActivityID 5 ActivityType SampleActivity Attempt 1 WorkflowType SamplePickFirstWorkflow WorkflowID pick-first_0c62bebb-bada-4110-ba32-26cdd942257b RunID 9663ba53-c621-46aa-b418-4598e1050874
2021/06/06 09:03:22 INFO not cancelled yet Namespace default TaskQueue pick-first WorkerID 66831@bogon@ ActivityID 5 ActivityType SampleActivity Attempt 1 WorkflowType SamplePickFirstWorkflow WorkflowID pick-first_0c62bebb-bada-4110-ba32-26cdd942257b RunID 9663ba53-c621-46aa-b418-4598e1050874
2021/06/06 09:03:22 INFO Workflow completed. Namespace default TaskQueue pick-first WorkerID 66831@bogon@ WorkflowType SamplePickFirstWorkflow WorkflowID pick-first_0c62bebb-bada-4110-ba32-26cdd942257b RunID 9663ba53-c621-46aa-b418-4598e1050874 Attempt 1
Expected behavior
As far as I understand, when workflow calls cancelHandler func, all activities executed with childCtx should be cancelled, and select on ctx.Done() should hit.
Not sure if I understand correctly.
Screenshots/Terminal ouput
If applicable, add screenshots or code blocks to help explain your problem. You can also use Loom to do short, free video bug reports.
Versions (please complete the following information where relevant):
- OS: Mac
- Temporal Version: 1.6.0
- are you using Docker or Kubernetes or building Temporal from source? using Docker compose
Additional context
Add any other context about the problem here.
go.temporal.io/sdk/contrib/tools/workflowcheck: 3 vulnerabilities (highest severity is: 6.1) - autoclosed
Vulnerable Library - go.temporal.io/sdk/contrib/tools/workflowcheck
Found in HEAD commit: 453091d983b854b70edd8e47fcab17c535d8f116
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-11022 | Medium |
6.1 | github.com/golang/tools-v0.1.8 | Transitive | N/A | ❌ |
| CVE-2015-9251 | Medium |
6.1 | github.com/golang/tools-v0.1.8 | Transitive | N/A | ❌ |
| CVE-2012-6708 | Medium |
6.1 | github.com/golang/tools-v0.1.8 | Transitive | N/A | ❌ |
Details
CVE-2020-11022
Vulnerable Library - github.com/golang/tools-v0.1.8
[mirror] Go Tools
Dependency Hierarchy:
- go.temporal.io/sdk/contrib/tools/workflowcheck (Root Library)
- ❌ github.com/golang/tools-v0.1.8 (Vulnerable Library)
Found in HEAD commit: 453091d983b854b70edd8e47fcab17c535d8f116
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2015-9251
Vulnerable Library - github.com/golang/tools-v0.1.8
[mirror] Go Tools
Dependency Hierarchy:
- go.temporal.io/sdk/contrib/tools/workflowcheck (Root Library)
- ❌ github.com/golang/tools-v0.1.8 (Vulnerable Library)
Found in HEAD commit: 453091d983b854b70edd8e47fcab17c535d8f116
Found in base branch: main
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
CVE-2012-6708
Vulnerable Library - github.com/golang/tools-v0.1.8
[mirror] Go Tools
Dependency Hierarchy:
- go.temporal.io/sdk/contrib/tools/workflowcheck (Root Library)
- ❌ github.com/golang/tools-v0.1.8 (Vulnerable Library)
Found in HEAD commit: 453091d983b854b70edd8e47fcab17c535d8f116
Found in base branch: main
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.