Dependency Security Audit

[whereswaldon]

We need to perform a detailed audit of all of our current dependencies. We have a responsibility to users of Arbor to prevent any npm-style security breaches. We already lock the versions of our dependencies with dep, but we need to go a step further to ensure that current versions do not contain anything malicious. I obviously don't think that they do, but It's worth trying to certify it.

[whereswaldon]

Audit done for:

[[projects]]
  digest = "1:40e195917a951a8bf867cd05de2a46aaf1806c50cf92eebf4c16f78cd196f747"
  name = "github.com/pkg/errors"
  packages = ["."]
  pruneopts = "UT"
  revision = "645ef00459ed84a119197bfb8d8205042c6df63d"
  version = "v0.8.0"

Code is clean and makes sense. Learned some cool tricks from the runtime package as well.

[whereswaldon]

Audit done for:

[[projects]]
  digest = "1:18651a61ae4ba9ee396e0a2fb1882b5f69e6a5b52ee3432f4d7718496f7e857d"
  name = "github.com/bbrks/wrap"
  packages = ["."]
  pruneopts = "UT"
  revision = "e60be0e25cebe43945acf3541683f59e3029c24c"
  version = "v2.3.0"

The wrapping algorithm is fairly simple. It may be worthwhile to write a fully custom one to accommodate some of our weirder use-cases in the future.

[whereswaldon]

Audit in progress for:

[[projects]]
  digest = "1:dae52e85e2f3d0a734799e74ec0711d3ddd673b21a9e83be6c899af64c3a98f6"
  name = "github.com/godbus/dbus"
  packages = ["."]
  pruneopts = "UT"
  revision = "66d97aec3384421e393c2a76b770a1b5c31d07a8"
  version = "v5.0"

Moving through source code in lexigraphic order, I'm on conn.go:490
Update: finished conn.go
Update: finished dbus.go
Update: finished decoder.go