Remove indirect dependency on github.com/mailru/easyjson

[alexandear]

Description

This project has an indirect dependency on github.com/mailru/easyjson, a Go library with maintainers based in Russia and affiliated with VK Group. VK Group has known ties to the Russian government and a history of cooperating with Russian security services, including sharing user data.

According to the Hunted Labs report, "The Russian Open Source Project That We Can’t Live Without", this dependency poses a significant supply chain risk. A compromised easyjson library could lead to severe consequences, including:

• Supply chain backdoors
• Remote code execution
• Espionage
• Data exfiltration
• Potential "kill switch" functionality

To mitigate these risks, I propose to remove this indirect dependency.

Dependencies that relies on easyjson (updated based on the discussion below):

• github.com/wk8/go-ordered-map
• github.com/invopop/jsonschema
• k8s.io/client-go

[afbjorklund]

The ordered map functionality is only used by the genschema at the moment, so can be easily avoided.

This also means that the code is not in the path of anyone not using the limactl generate-jsonschema

EDIT: Oops, spoke too soon. It is imported from https://github.com/invopop/jsonschema

github.com/lima-vm/lima/cmd/limactl
github.com/invopop/jsonschema
github.com/wk8/go-ordered-map/v2
github.com/mailru/easyjson/jwriter

It is still not used by other commands, but would be a bit harder to remove completely

[afbjorklund]

Apparently we already have another OrderedMap in the dependencies, that is used by yqutil.

github.com/elliotchance/orderedmap

EDIT: this other library is older (go1.18) and not generic, so it is not a drop-in replacement

invalid operation: orderedmap.OrderedMap[string, *Schema] (orderedmap.OrderedMap is not a generic type)

[AkihiroSuda]

github.com/wk8/go-ordered-map is the only dependency that relies on easyjson.

Depended by Kubernetes too:

$ go mod why github.com/mailru/easyjson/jlexer
# github.com/mailru/easyjson/jlexer
github.com/lima-vm/lima/pkg/guestagent/kubernetesservice
k8s.io/client-go/kubernetes
k8s.io/client-go/discovery
k8s.io/client-go/openapi
k8s.io/kube-openapi/pkg/spec3
github.com/go-openapi/swag
github.com/mailru/easyjson/jlexer

• Migrate from github.com/mailru/easyjson go-openapi/swag#68

[AkihiroSuda]

this dependency poses a significant supply chain risk

We have been locking the dependency with go.sum, and the current version https://github.com/mailru/easyjson/tree/5e854fb809ec83ff18eb74554fd5c693e28eaadb apparently does not seem to contain suspicious codes:

lima/go.sum

Lines 174 to 175 in ad8ac1c

	github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
	github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=

$ go mod vendor
$ cd vendor/github.com/mailru/easyjson
$ find .
.
./LICENSE
./jwriter
./jwriter/writer.go
./jlexer
./jlexer/error.go
./jlexer/bytestostr_nounsafe.go
./jlexer/bytestostr.go
./jlexer/lexer.go
./buffer
./buffer/pool.go

We also experimentally support gomodjail to make dependencies less privileged:

lima/go.mod

Line 1 in ad8ac1c

// gomodjail:confined

gomodjail is still opt-in though.

[AkihiroSuda]

For a while maybe we should set easyjson_nounsafe ?

https://github.com/mailru/easyjson/blob/fe2707c07ac01dd7377350e8edf4f574705358bf/jlexer/bytestostr_nounsafe.go#L4

[jandubois]

I have no problem with removing the dependency from our code base as much as reasonably possible, but it will not be removed from Kubernetes; CNCF has ruled this to be a non-issue:

• Guidance on use of a third party library maintained by a Sanctioned Entity cncf/foundation#550
• Use of a third party library maintained by a Sanctioned Entity kubernetes/kubernetes#117553

So as long as we have a dependency on the k8s client library, we will have a dependency on easyjson as well.

[jandubois]

So as long as we have a dependency on the k8s client library, we will have a dependency on easyjson as well.

I believe the only dependency on the k8s client libs is in the guest-agent code monitoring port changes. We should be able to replace this with kubectl get --watch, which will also significantly reduce the size of the guest-agents.

Of course kubectl would still rely on easyjson, but that is out of our control.