SECURITY: github.com/dgrijalva/jwt-go needs to be replaced by github.com/golang-jwt/jwt

[araujof]

Type
Security (CVE-2020-26160)

Description
github.com/dgrijalva/jwt-go has an unpatched vulnerability and it's no longer maintained. It needs to be replaced by github.com/golang-jwt/jwt. Please see the advisory below. This affects all consumers using the Golang SDK to send notifications and findings to IBM SCC.

Advisory
GHSA-w73w-5m7g-f7qc
High severity
Vulnerable versions: <= 3.2.0
Patched version: No fix
jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

[gary1998]

Hey @araujof this SDK is going to sunset very soon, please migrate to the new SDK https://github.com/IBM/scc-go-sdk and as long as the CVE is concerned, we're fixing it.

[araujof]

Thanks for pushing the fix and pointing me to the new SDK. It would be good to add this information to the README so that other folks don't use the old SDK by mistake.