Flamingo Framework and Core Library. Flamingo is a go based framework to build pluggable applications. Focus is on clean architecture, maintainability and operation readiness.
Home Page: http://www.flamingo.me
License: MIT License
The prefixrouter accepts requests to /prefix/prefix/ as / for /prefix
For full prefix this seems to be fine (inkl. host)
by @Ompluscator
the reason why flamingo doesn't recognize here /prefix/prefix is probably because BASE_PATH is now full domain "https://example.com/prefix", not just "/prefix"
^^ maybe Mr @bastian.ike can check this issue with flamingo core router
Discuss:
We just witnessed a race condition in the translation service. We should add some sort of mutex to avoid that.
==================
==================
WARNING: DATA RACE
Read at 0x00c0005215c9 by goroutine 132:
flamingo.me/flamingo/v3/core/locale/infrastructure.(*TranslationService).loadFiles()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/core/locale/infrastructure/translation_service.go:127 +0x64
flamingo.me/flamingo/v3/core/locale/infrastructure.(*TranslationService).initAndLoad()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/core/locale/infrastructure/translation_service.go:154 +0x84
flamingo.me/flamingo/v3/core/locale/infrastructure.(*TranslationService).Translate()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/core/locale/infrastructure/translation_service.go:70 +0x4f
go.aoe.com/flamingo-om3/v3/om3flight/interfaces/controller.(*FlightAPIController).JSONError()
/builds/shared/flamingo/flamingo-om3/om3flight/interfaces/controller/flightapicontroller.go:222 +0x401
go.aoe.com/flamingo-om3/v3/om3flight/interfaces/controller.(*FlightAPIController).SearchFlightsAction()
/builds/shared/flamingo/flamingo-om3/om3flight/interfaces/controller/flightapicontroller.go:98 +0x6c7
go.aoe.com/flamingo-om3/v3/om3flight/interfaces/controller.(*FlightAPIController).SearchFlightsAction-fm()
/builds/shared/flamingo/flamingo-om3/om3flight/interfaces/controller/flightapicontroller.go:81 +0x74
flamingo.me/flamingo/v3/framework/web.(*handler).ServeHTTP.func3()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/framework/web/handler.go:163 +0x481
flamingo.me/flamingo/v3/framework/web.(*FilterChain).Next()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/framework/web/filter.go:58 +0x24d
flamingo.me/flamingo/v3/framework/web/filter.(*MetricsFilter).Filter()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/framework/web/filter/request_metrics_filter.go:84 +0x7a
flamingo.me/flamingo/v3/framework/web.(*FilterChain).Next()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/framework/web/filter.go:63 +0x1a2
flamingo.me/flamingo/v3/framework/web.(*handler).ServeHTTP()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/framework/web/handler.go:174 +0xc12
net/http.serverHandler.ServeHTTP()
/usr/local/go/src/net/http/server.go:2887 +0xca
net/http.(*conn).serve()
/usr/local/go/src/net/http/server.go:1952 +0x87d
Previous write at 0x00c0005215c9 by goroutine 36:
flamingo.me/flamingo/v3/core/locale/infrastructure.(*TranslationService).loadFiles()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/core/locale/infrastructure/translation_service.go:147 +0x199
flamingo.me/flamingo/v3/core/locale/infrastructure.(*TranslationService).initAndLoad()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/core/locale/infrastructure/translation_service.go:154 +0x84
flamingo.me/flamingo/v3/core/locale/infrastructure.(*TranslationService).Translate()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/core/locale/infrastructure/translation_service.go:70 +0x4f
go.aoe.com/flamingo-om3/v3/om3flight/interfaces/controller.(*FlightAPIController).JSONError()
/builds/shared/flamingo/flamingo-om3/om3flight/interfaces/controller/flightapicontroller.go:222 +0x401
go.aoe.com/flamingo-om3/v3/om3flight/interfaces/controller.(*FlightAPIController).DeleteSessionFlightAction()
/builds/shared/flamingo/flamingo-om3/om3flight/interfaces/controller/flightapicontroller.go:134 +0x27c
go.aoe.com/flamingo-om3/v3/om3flight/interfaces/controller.(*FlightAPIController).DeleteSessionFlightAction-fm()
/builds/shared/flamingo/flamingo-om3/om3flight/interfaces/controller/flightapicontroller.go:131 +0x74
flamingo.me/flamingo/v3/framework/web.(*handler).ServeHTTP.func3()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/framework/web/handler.go:163 +0x481
flamingo.me/flamingo/v3/framework/web.(*FilterChain).Next()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/framework/web/filter.go:58 +0x24d
flamingo.me/flamingo/v3/framework/web/filter.(*MetricsFilter).Filter()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/framework/web/filter/request_metrics_filter.go:84 +0x7a
flamingo.me/flamingo/v3/framework/web.(*FilterChain).Next()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/framework/web/filter.go:63 +0x1a2
flamingo.me/flamingo/v3/framework/web.(*handler).ServeHTTP()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo/[email protected]/framework/web/handler.go:174 +0xc12
net/http.serverHandler.ServeHTTP()
/usr/local/go/src/net/http/server.go:2887 +0xca
net/http.(*conn).serve()
/usr/local/go/src/net/http/server.go:1952 +0x87d
Goroutine 132 (running) created at:
net/http.(*Server).Serve()
/usr/local/go/src/net/http/server.go:3013 +0x644
flamingo.me/flamingo-commerce/v3/test/integrationtest.(*testModule).startServer.func1()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo-commerce/[email protected]/test/integrationtest/helper.go:98 +0x6a
Goroutine 36 (running) created at:
net/http.(*Server).Serve()
/usr/local/go/src/net/http/server.go:3013 +0x644
flamingo.me/flamingo-commerce/v3/test/integrationtest.(*testModule).startServer.func1()
/builds/shared/flamingo/flamingo-om3/.go/pkg/mod/flamingo.me/flamingo-commerce/[email protected]/test/integrationtest/helper.go:98 +0x6a
==================
How can I configure Flamingo to serve over HTTPS? I've looked all over in the docs, but found no mentions of how to do this. Any help would be greatly appreciated.
.yml is correct, .yaml is ignored. This can be confusing
Works: new(web.Responder).Data(data)
Doesn't work: &web.DataResponse{Data: data}
Both should work, so for basic usage it's possible to use functions for actions with creating bigger modules
// ServerErrorWithCodeAndTemplate error response with template and http status code
func (r *Responder) ServerErrorWithCodeAndTemplate(err error, tpl string, status uint) *ServerErrorResponse {
errstr := err.Error()err should be checked for nil.
Hello friends,
while analysing an issue with our SSO by investigating our application logs, I noticed
that the function called here:
https://github.com/i-love-flamingo/flamingo/blob/master/core/auth/oauth/oidc.go#L310
Does not consider the request context when logging the error
https://github.com/i-love-flamingo/flamingo/blob/master/framework/web/result.go#L430
This would require the function to be able to receive a context and log the error using WithContext
The adjustment would help with log analysis.
As this function is used across several classes, we could also create a new function and slowly migrate.
Starting a small project with 1-2 default routes requires setup of config/config.cue or config/routes.yml, this can be annoying
At the moment, the healthcheck module has a hard dependency on the session backend, but does not declare a dependency to the session module.
A similar situation is given for the auth check, but here the default setting is at least deactivated.
The healthcheck module should be usable in projects without sessions or auth, too.
I sugesst to move specific checks to their corresponding modules.
Go 1.16 brings a lot of nice enhancements, so we should evaluate if we can adapt them.
https://tip.golang.org/pkg/os/signal/#NotifyContext
flamingo/framework/cmd/module.go
Lines 42 to 44 in ce166cf
https://tip.golang.org/pkg/embed/
(not used yet, but might be useful to integrate something?)
https://tip.golang.org/pkg/runtime/metrics/
We should investigate how this extends/replaces opencensus/opentelemetry #179
flamingo-commerce got new feature for its "commercePriceFormat" to configure price format "default" and per "currency"
This should move to flamingo and flamingo-commerce should reuse the flamingo service.
Currently flamingo-commerce reads from "locale.accounting.*" which is not nice anyway
systemendpoint relies on flamingo. ServerStartEvent, which is never dispatched on flamingos standard "serve" command.
Hello Flamingo team,
due to an issue in https://github.com/census-instrumentation/opencensus-go, the memory stats do not seem to be updated for opencensus.
In line
flamingo/framework/opencensus/module.go
Lines 155 to 158 in fa5bd34
RunMetricOptions are instantiated without setting UseDerivedCumulative.producer.deprecatedMemStats is instantiated and not producer.memStats.UseDerivedCumulative in framework/opencensus/module.goThe prefix router throws a panic if it receives a path that has a valid prefix but contains invalid characters.
Problem is that the error of the url.Parse is muted and therefore the req.URL is nil
https://github.com/i-love-flamingo/flamingo/blob/master/framework/prefixrouter/front_router.go#L137
Configured prefix: en
path to cause the panic: /en%20HTTP%2F1.1%0D%0ASomeheader:%20value%0D%0A%0D%0A/widget/randomGenericProductsBy
cuelang has developed new features. Let's make them available in Flamingo, too.
current in Flamingo: cuelang.org/[email protected]
actual version: cuelang.org/[email protected]
The Responder can be quite confusing in its usage.
See #185 .
Document the minimum requirements such as:
package main
import (
"flamingo.me/dingo"
"flamingo.me/flamingo/v3"
"flamingo.me/flamingo/v3/core/gotemplate"
)
func main() {
flamingo.App([]dingo.Module{
new(gotemplate.Module),
})
}- name: index
path: /
controller: flamingo.render(tpl="index")
- name: static
path: /asset/*name
controller: flamingo.static.fileThis issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
core/auth/example/docker-compose.yml
quay.io/dexidp/dex v2.28.1quay.io/dexidp/dex v2.28.1quay.io/keycloak/keycloak 24.0.3quay.io/keycloak/keycloak 24.0.3core/oauth/example/docker-compose.yml
quay.io/dexidp/dex v2.28.1
.github/workflows/daily.yml
actions/checkout v4actions/setup-go v5.github/workflows/golangci-lint.yml
actions/checkout v4actions/setup-go v5golangci/golangci-lint-action v5.github/workflows/main.yml
actions/checkout v4actions/setup-go v5actions/checkout v4actions/setup-go v5irongut/CodeCoverageSummary v1.3.0marocchino/sticky-pull-request-comment v2actions/checkout v4actions/setup-go v5.github/workflows/semanticore.yml
actions/checkout v4actions/setup-go v5
go.mod
go 1.21contrib.go.opencensus.io/exporter/jaeger v0.2.1contrib.go.opencensus.io/exporter/prometheus v0.4.2contrib.go.opencensus.io/exporter/zipkin v0.1.2cuelang.org/go v0.0.15flamingo.me/dingo v0.2.10github.com/coreos/go-oidc/v3 v3.10.0github.com/ghodss/yaml v1.0.0github.com/gofrs/uuid v4.4.0+incompatiblegithub.com/golang-jwt/jwt/v5 v5.2.1github.com/google/go-cmp v0.6.0github.com/gorilla/securecookie v1.1.2github.com/gorilla/sessions v1.2.2github.com/hashicorp/golang-lru/v2 v2.0.7github.com/leekchan/accounting v0.3.1github.com/nicksnyder/go-i18n v0.0.0-20180814031359-04f547cc50da@04f547cc50dagithub.com/openzipkin/zipkin-go v0.4.2github.com/pact-foundation/pact-go v0.0.13github.com/rbcervilla/redisstore/v9 v9.0.0github.com/redis/go-redis/v9 v9.5.1github.com/spf13/cobra v1.8.0github.com/spf13/pflag v1.0.5github.com/stretchr/testify v1.9.0github.com/zemirco/memorystore v0.0.0-20160308183530-ecd57e5134f6@ecd57e5134f6go.opencensus.io v0.24.0go.uber.org/automaxprocs v1.5.3go.uber.org/zap v1.27.0golang.org/x/oauth2 v0.19.0golang.org/x/sync v0.7.0
core/security/application/doc.go
github.com/vektra/mockery/v2 v2.42.3core/security/application/role/doc.go
github.com/vektra/mockery/v2 v2.42.3core/security/application/voter/doc.go
github.com/vektra/mockery/v2 v2.42.3core/security/domain/doc.go
github.com/vektra/mockery/v2 v2.42.3core/security/interface/middleware/doc.go
github.com/vektra/mockery/v2 v2.42.3
e.g.:
DEBUG=1 CONTEXT=dev:testproducts go run main.go serve
panic: error converting YAML to JSON: yaml: line 131: did not find expected key
goroutine 1 [running]:
flamingo.me/flamingo/v3/framework/config.loadYamlConfig(0xc00047f680, 0xc000276000, 0xc49, 0xc80, 0xe76, 0x0)
/Users/daniel.poetzinger/Development/GOMOD/flamingo/flamingo/framework/config/loader.go:206 +0x1a2
flamingo.me/flamingo/v3/framework/config.loadYamlFile(0xc00047f680, 0xc000300fa0, 0xd, 0xd, 0x1)
/Users/daniel.poetzinger/Development/GOMOD/flamingo/flamingo/framework/config/loader.go:181 +0x222
Maybe the lines around the error can be printed - its not clear which file etc its referreing to
Add more default metrics:
https://www.flamingo.me/flamingo-core.html#Start - clicking on Documentation leads to "https://docs.flamingo.me/" which returns "404 Not Found".
Same with the tutorials link: "Start your application and check out our tutorials." - "404 Not Found".
The link on top with Github should probably lead to https://github.com/i-love-flamingo and not to github.com
new(flamingo.StdLogger).Debug(...) will panic, as the underlying log.Logger is not ready to use anymore.
Tested with go 1.14.6
Hello friends,
when running Nancy on flamingo it detects two vulnerable dependencies. One seems to be related to cobra
github.com/spf13/cobra v0.0.6
Cobra is currently available in version v1.1.3 https://github.com/spf13/cobra/tags
Approach
I am on flamingo master and execute:
go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth
Output
Checking for updates...
Already up-to-date.
pkg:golang/github.com/coreos/[email protected]
3 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox... ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description ┃ In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP ┃
┃ ┃ proxy to allow for basic service discovery and access. However, it is ┃
┃ ┃ possible to include the gateway address as an endpoint. This results in a ┃
┃ ┃ denial of service, since the endpoint can become stuck in a loop of ┃
┃ ┃ requesting itself until there are no more available file descriptors to ┃
┃ ┃ accept connections on the gateway. ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID ┃ bba60acb-c7b5-4621-af69-f4085a8301d0 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score ┃ 7.7/10 (High) ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector ┃ CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/bba60acb-c7b5-4621-af69-f4085a8301d0?component-type=golang&component-name=github.com%2Fcoreos%2Fetcd&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.15 ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2020-15136] In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only ap... ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description ┃ In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is ┃
┃ ┃ only applied to endpoints detected in DNS SRV records. When starting a ┃
┃ ┃ gateway, TLS authentication will only be attempted on endpoints identified ┃
┃ ┃ in DNS SRV records for a given domain, which occurs in the ┃
┃ ┃ discoverEndpoints function. No authentication is performed against ┃
┃ ┃ endpoints provided in the --endpoints flag. This has been fixed in versions ┃
┃ ┃ 3.4.10 and 3.3.23 with improved documentation and deprecation of the ┃
┃ ┃ functionality. ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID ┃ d373dc3f-aa88-483b-b501-20fe5382cc80 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score ┃ 6.5/10 (Medium) ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector ┃ CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/d373dc3f-aa88-483b-b501-20fe5382cc80?component-type=golang&component-name=github.com%2Fcoreos%2Fetcd&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.15 ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2020-15115] etcd before versions 3.3.23 and 3.4.10 does not perform any password length vali... ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description ┃ etcd before versions 3.3.23 and 3.4.10 does not perform any password length ┃
┃ ┃ validation, which allows for very short passwords, such as those with a ┃
┃ ┃ length of one. This may allow an attacker to guess or brute-force users' ┃
┃ ┃ passwords with little computational effort. ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID ┃ 5def94e5-b89c-4a94-b9c6-ae0e120784c2 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score ┃ 5.8/10 (Medium) ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/5def94e5-b89c-4a94-b9c6-ae0e120784c2?component-type=golang&component-name=github.com%2Fcoreos%2Fetcd&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.15 ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
pkg:golang/github.com/gorilla/[email protected]
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CWE-190: Integer Overflow or Wraparound ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description ┃ The software performs a calculation that can produce an integer overflow or ┃
┃ ┃ wraparound, when the logic assumes that the resulting value will always be ┃
┃ ┃ larger than the original value. This can introduce other weaknesses when ┃
┃ ┃ the calculation is used for resource management or execution control. ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID ┃ 5f259e63-3efb-4c47-b593-d175dca716b0 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score ┃ 7.5/10 (High) ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/5f259e63-3efb-4c47-b593-d175dca716b0?component-type=golang&component-name=github.com%2Fgorilla%2Fwebsocket&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.15 ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
2 Vulnerable Packages
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
┃ Audited Dependencies ┃ 176 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
┃ Vulnerable Dependencies ┃ 2 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛
Checking the dependency graph:
go mod graph | grep 'github.com/gorilla/websocket'
> github.com/spf13/[email protected] github.com/gorilla/[email protected]
go mod graph | grep 'viper'
> github.com/spf13/[email protected] github.com/spf13/[email protected]
Now that go 1.14 is released we should:
Discriminated unions with cue can't be overwritten, as there will be leftovers which can't be removed.
If Data Response fails then the 500 error template is shown.
Expected: A json error format (?)
Example stack
2019-05-17T14:13:07.643+0200 ERROR web/result.go:386 json: unsupported type: ....
flamingo/flamingo/core/zap/logger.go:77
flamingo.me/flamingo/v3/framework/web.(*Responder).ServerError
flamingo/flamingo/framework/web/result.go:386
flamingo.me/flamingo/v3/framework/controller.(*Error).Error
flamingo/flamingo/framework/controller/error.go:28
flamingo.me/flamingo/v3/framework/web.(*handler).ServeHTTP
flamingo/flamingo/framework/web/handler.go:217
flamingo.me/flamingo/v3/framework/prefixrouter.(*FrontRouter).ServeHTTP
flamingo/flamingo/framework/prefixrouter/front_router.go:136
Hello Flamingo team,
the library github.com/satori/go.uuid has a security issue (see https://avd.aquasec.com/nvd/2021/cve-2021-3538/ for details). This library is used in Flamingo core:
It would be great, if you could replace it by a library, which does not suffer from this issue (e.g. https://github.com/gofrs/uuid or https://github.com/google/uuid).
Thanks for your help.
BR, Michael
Empty projects end up with the message
Could not find the template error/withCode.html
eveywhere, because the 404 template is not found, triggers a 50x error, which defaults to the error/withCode.html template.
This is totally unclear/unusable for new adopters.
hello.
Whether optimization of the REST API project will be considered later?
I intend to use this for RESTful projects that do not require the functionality of templates
The flamingo.static.file controller is basically unusuable.
We need configuration/param for the path, rename to flamingo.static (because it actually serves folders and directory listings) and check for file-only serving
Without further configuration Flamingo starts the server on port 3322 (normal router) or 3210 (prefixrouter) and the systemendpoint on 13210.
However, if you configure :0, the net.Listener will internally choose an available port and there is no possibility to know which ports have been selected.
The ServerStartEvent just has the configuration :0 instead of the "real port".
Also the log messages "Starting HTTP Server ..." and "systemendpoint: Start at ..." have only the configuration value.
Configuration for systemendpoint is flamingo.systemendpoint.serviceAddr
The main port is given by the --addr flag in the serve command (for router and prefixrouter respectively)
E.g. for mockery:
Use
//go:generate go run github.com/vektra/mockery/cmd/mockery
Instead of
//go:generate mockery
to ensure reproducable usage without installing a, potentially random, version of mockery somewhere in your PATH
Finding from "PET Team":
Der runtime-scheduler hat eine Funktion “GOMAXPROCS”, welche der runtime grob mitteilt wieviele parallele Verarbeitungen sie machen kann. Dieser Wert ist per default die Anzahl der Verfügbaren cores (seit 1.5). In einer Container Umgebung ist das trotz limits die Gesamtanzahl der Cores der darunterlegenden Node.
Da so der go-runtime-scheduler glaubt 4 cpu’s zur Verfügung zu haben, die aber per cgroup auf etwa 2 limitiert sind (aktuell bei kso), versucht go mehr zu parallelisieren als eigentlich möglich ist. Auch das führt zu unnötigem cfs-throtteling. Daher sollten wir das entsprechend des limits pro Projekt konfigurieren.
Ab Kubernetes Version 1.16 könnten wir dem Container exakte Kerne zuweisen (und damit die anderen verstecken). Da wir aber erst bei k8s 1.11 sind und es auch bei 1.16 noch Probleme damit gibt, können wir damit aktuell nicht arbeiten und nicht zeitnah rechnen.
Entweder konfigurieren wir das per Umgebungsvariable pro Projekt und Stage manuell oder automatisiert mit dieser Library von Uber: https://github.com/uber-go/automaxprocs Diese setzt den Wert automatisch zur Startzeit der Applikation. Evt könnte man dies in den Flamingo-Core integrieren? Was meint ihr?
Bind methods are provided in gin.Context: https://pkg.go.dev/github.com/gin-gonic/gin#readme-model-binding-and-validation
It is useful when post json struct data in request body.
Will flamingo provide similar api in the future?
Check compatibility with pkg.go.dev.
We should document the intention of web.SessionFromContext function.
The session should be an explicit parameter if needed.
For upgrading configuration paths it would be nice to support aliasing, just like go type aliasing.
Controllers which only require the web Responder should be usable in a more standalone way.
The web Handler should take any response and finish that if necessary.
go: warning: github.com/gomodule/[email protected]+incompatible: retracted by module author: Old development version not maintained or published.
go: to switch to the latest unretracted version, run:
go get github.com/gomodule/redigo@latest
This is the error that is thrown when I try to run go generate . as mentioned in the graphql module readme.
2020/06/16 21:19:46 app: config load: root: flamingo.me/flamingo/v3/core/oauth.Module:4:10: cue: marshal error at path core.oauth.secret: cannot convert incomplete value "string" to JSON
exit status 1
main.go:4: running "go": exit status 1
Any idea?
We noticed that the translations endpoint in the core/locale module is really slow in flamingo debug mode. This is because in debug mode, we reload the translation files for each translation (see TranslateLabel and loadFiles methods). In the translations endpoint we list every translation, so we reload the translation files hundreds of times. It would make sense to only reload when necessary (e. g. a translation file changed).
The official successor of Opencensus is https://opentelemetry.io/.
Start with a new repo first.
Todos Tracing:
Follow up Topics:
The utils in core are somewhat outdated.
Let's discuss to extract it into a separate repository for v4
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.