Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

govulncheck finds several dependencies with known vulnerabilities #92

Open
elchenberg opened this issue Sep 10, 2024 · 3 comments · May be fixed by #93
Open

govulncheck finds several dependencies with known vulnerabilities #92

elchenberg opened this issue Sep 10, 2024 · 3 comments · May be fixed by #93
Labels
bug Something isn't working

Comments

@elchenberg
Copy link

Describe the bug

I used govulncheck to scan this repository for vulnerabilities:

Your code is affected by 17 vulnerabilities from 6 modules.

Affected modules:

  • github.com/containerd/containerd
  • github.com/moby/moby
  • github.com/opencontainers/runc
  • golang.org/x/crypto
  • golang.org/x/net
  • gopkg.in/src-d/go-git.v4

Vulnerabilities:

Additional context

My Go version is 1.23.1. This is the command that I used for the scan:

go install golang.org/x/vuln/cmd/govulncheck@latest; govulncheck ./...

Logs

govulncheck output
=== Symbol Results ===

Vulnerability #1: GO-2024-3110
    runc can be confused to create empty files/directories on the host in
    github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2024-3110
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init

Vulnerability #2: GO-2024-2914
    Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in
    github.com/docker/docker
  More info: https://pkg.go.dev/vuln/GO-2024-2914
  Module: github.com/moby/moby
    Found in: github.com/moby/[email protected]+incompatible
    Fixed in: N/A
    Example traces found:
      #1: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls blkiodev.init
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls container.init
      #3: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls errdefs.init
      [...]

Vulnerability #3: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: pkg/kubernetes/clients.go:25:26: kubernetes.NewCoreV1Client calls core.NewForConfig, which eventually calls http2.ConfigureTransports
      #2: cmd/root.go:32:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error
      #3: main.go:17:28: seiso.main calls fmt.Sprintf, which eventually calls http2.ErrCode.String
      [...]

Vulnerability #4: GO-2024-2466
    Denial of service in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2466
  Module: gopkg.in/src-d/go-git.v4
    Found in: gopkg.in/src-d/[email protected]
    Fixed in: N/A
    Example traces found:
      #1: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadHash
      #2: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadUint32
      #3: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadVariableWidthInt
      [...]

Vulnerability #5: GO-2024-2456
    Path traversal and RCE in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2456
  Module: gopkg.in/src-d/go-git.v4
    Found in: gopkg.in/src-d/[email protected]
    Fixed in: N/A
    Example traces found:
      #1: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadHash
      #2: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadUint32
      #3: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadVariableWidthInt
      [...]

Vulnerability #6: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:38:33: namespace.HelmChecker.NonEmptyNamespaces calls action.List.Run, which eventually calls ssh.extChannel.Read

Vulnerability #7: GO-2023-1683
    runc AppArmor bypass with symlinked /proc in github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2023-1683
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init

Vulnerability #8: GO-2023-1682
    rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
    in github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2023-1682
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init

Vulnerability #9: GO-2023-1627
    Opencontainers runc Incorrect Authorization vulnerability in
    github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2023-1627
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init

Vulnerability #10: GO-2023-1571
    Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2023-1571
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls hpack.Decoder.Write
      #2: pkg/kubernetes/clients.go:25:26: kubernetes.NewCoreV1Client calls core.NewForConfig, which eventually calls http2.ConfigureTransports
      #3: cmd/root.go:32:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error
      [...]

Vulnerability #11: GO-2022-1147
    containerd CRI stream server vulnerable to host memory exhaustion via
    terminal in github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2022-1147
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
      #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
      #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
      [...]

Vulnerability #12: GO-2022-0482
    containerd CRI plugin: Host memory exhaustion through ExecSync in
    github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2022-0482
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
      #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
      #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
      [...]

Vulnerability #13: GO-2022-0452
    Default inheritable capabilities for linux container should be empty in
    github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2022-0452
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init

Vulnerability #14: GO-2022-0390
    Moby (Docker Engine) started with non-empty inheritable Linux process
    capabilities in github.com/docker/docker
  More info: https://pkg.go.dev/vuln/GO-2022-0390
  Module: github.com/moby/moby
    Found in: github.com/moby/[email protected]+incompatible
    Fixed in: N/A
    Example traces found:
      #1: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls blkiodev.init
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls container.init
      #3: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls errdefs.init
      [...]

Vulnerability #15: GO-2022-0360
    Ambiguous OCI manifest parsing in github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2022-0360
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
      #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
      #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
      [...]

Vulnerability #16: GO-2022-0344
    containerd CRI plugin: Insecure handling of image volumes in
    github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2022-0344
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
      #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
      #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
      [...]

Vulnerability #17: GO-2022-0278
    Unprivileged pod using `hostPath` can side-step active LSM when it is
    SELinux in github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2022-0278
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
      #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
      #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
      [...]

Your code is affected by 17 vulnerabilities from 6 modules.
This scan also found 16 vulnerabilities in packages you import and 20
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

Expected behavior

Zero known vulnerabilities but more realistically: Zero known vulnerabilities of critical and high severity.

To Reproduce

Steps to reproduce the behavior:

cd $(mktemp -d)
git clone --depth 1 https://github.com/appuio/seiso.git .
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
@elchenberg
Copy link
Author

By the way: I do not know if bug is the correct label. The other option was feature and this does not fit either. 😅

@elchenberg
Copy link
Author

@tobru Sorry, if you are the wrong person to ping but you were the one responding to my appuio/container-oc PR some weeks ago. 😅 Is there any chance of getting the dependencies updated?

@haasad
Copy link
Member

haasad commented Dec 2, 2024

@elchenberg Do I understand correctly that you're actually concerned about the vulnerability warnings when using appuio/container-oc, but don't use seiso itself?
I could check if we can drop seiso completely from appuio/container-oc. Afaict this is a legacy tool that we don't use anymore.

@mhutter mhutter linked a pull request Dec 2, 2024 that will close this issue
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Development

Successfully merging a pull request may close this issue.

2 participants