You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My Go version is 1.23.1. This is the command that I used for the scan:
go install golang.org/x/vuln/cmd/govulncheck@latest; govulncheck ./...
Logs
govulncheck output
=== Symbol Results ===Vulnerability #1: GO-2024-3110 runc can be confused to create empty files/directories on the host in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2024-3110 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/[email protected] Fixed in: github.com/opencontainers/[email protected] Example traces found: #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.initVulnerability #2: GO-2024-2914 Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker More info: https://pkg.go.dev/vuln/GO-2024-2914 Module: github.com/moby/moby Found in: github.com/moby/[email protected]+incompatible Fixed in: N/A Example traces found: #1: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls blkiodev.init #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls container.init #3: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls errdefs.init [...]Vulnerability #3: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Example traces found: #1: pkg/kubernetes/clients.go:25:26: kubernetes.NewCoreV1Client calls core.NewForConfig, which eventually calls http2.ConfigureTransports #2: cmd/root.go:32:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error #3: main.go:17:28: seiso.main calls fmt.Sprintf, which eventually calls http2.ErrCode.String [...]Vulnerability #4: GO-2024-2466 Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4 More info: https://pkg.go.dev/vuln/GO-2024-2466 Module: gopkg.in/src-d/go-git.v4 Found in: gopkg.in/src-d/[email protected] Fixed in: N/A Example traces found: #1: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadHash #2: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadUint32 #3: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadVariableWidthInt [...]Vulnerability #5: GO-2024-2456 Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4 More info: https://pkg.go.dev/vuln/GO-2024-2456 Module: gopkg.in/src-d/go-git.v4 Found in: gopkg.in/src-d/[email protected] Fixed in: N/A Example traces found: #1: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadHash #2: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadUint32 #3: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadVariableWidthInt [...]Vulnerability #6: GO-2023-2402 Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto More info: https://pkg.go.dev/vuln/GO-2023-2402 Module: golang.org/x/crypto Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Example traces found: #1: pkg/namespace/checker_helm.go:38:33: namespace.HelmChecker.NonEmptyNamespaces calls action.List.Run, which eventually calls ssh.extChannel.ReadVulnerability #7: GO-2023-1683 runc AppArmor bypass with symlinked /proc in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2023-1683 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/[email protected] Fixed in: github.com/opencontainers/[email protected] Example traces found: #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.initVulnerability #8: GO-2023-1682 rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2023-1682 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/[email protected] Fixed in: github.com/opencontainers/[email protected] Example traces found: #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.initVulnerability #9: GO-2023-1627 Opencontainers runc Incorrect Authorization vulnerability in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2023-1627 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/[email protected] Fixed in: github.com/opencontainers/[email protected] Example traces found: #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.initVulnerability #10: GO-2023-1571 Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2023-1571 Module: golang.org/x/net Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls hpack.Decoder.Write #2: pkg/kubernetes/clients.go:25:26: kubernetes.NewCoreV1Client calls core.NewForConfig, which eventually calls http2.ConfigureTransports #3: cmd/root.go:32:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error [...]Vulnerability #11: GO-2022-1147 containerd CRI stream server vulnerable to host memory exhaustion via terminal in github.com/containerd/containerd More info: https://pkg.go.dev/vuln/GO-2022-1147 Module: github.com/containerd/containerd Found in: github.com/containerd/[email protected] Fixed in: github.com/containerd/[email protected] Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len [...]Vulnerability #12: GO-2022-0482 containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd More info: https://pkg.go.dev/vuln/GO-2022-0482 Module: github.com/containerd/containerd Found in: github.com/containerd/[email protected] Fixed in: github.com/containerd/[email protected] Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len [...]Vulnerability #13: GO-2022-0452 Default inheritable capabilities for linux container should be empty in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2022-0452 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/[email protected] Fixed in: github.com/opencontainers/[email protected] Example traces found: #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.initVulnerability #14: GO-2022-0390 Moby (Docker Engine) started with non-empty inheritable Linux process capabilities in github.com/docker/docker More info: https://pkg.go.dev/vuln/GO-2022-0390 Module: github.com/moby/moby Found in: github.com/moby/[email protected]+incompatible Fixed in: N/A Example traces found: #1: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls blkiodev.init #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls container.init #3: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls errdefs.init [...]Vulnerability #15: GO-2022-0360 Ambiguous OCI manifest parsing in github.com/containerd/containerd More info: https://pkg.go.dev/vuln/GO-2022-0360 Module: github.com/containerd/containerd Found in: github.com/containerd/[email protected] Fixed in: github.com/containerd/[email protected] Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len [...]Vulnerability #16: GO-2022-0344 containerd CRI plugin: Insecure handling of image volumes in github.com/containerd/containerd More info: https://pkg.go.dev/vuln/GO-2022-0344 Module: github.com/containerd/containerd Found in: github.com/containerd/[email protected] Fixed in: github.com/containerd/[email protected] Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len [...]Vulnerability #17: GO-2022-0278 Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux in github.com/containerd/containerd More info: https://pkg.go.dev/vuln/GO-2022-0278 Module: github.com/containerd/containerd Found in: github.com/containerd/[email protected] Fixed in: github.com/containerd/[email protected] Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len [...]Your code is affected by 17 vulnerabilities from 6 modules.This scan also found 16 vulnerabilities in packages you import and 20vulnerabilities in modules you require, but your code doesn't appear to callthese vulnerabilities.Use '-show verbose' for more details.
Expected behavior
Zero known vulnerabilities but more realistically: Zero known vulnerabilities of critical and high severity.
@tobru Sorry, if you are the wrong person to ping but you were the one responding to my appuio/container-ocPR some weeks ago. 😅 Is there any chance of getting the dependencies updated?
@elchenberg Do I understand correctly that you're actually concerned about the vulnerability warnings when using appuio/container-oc, but don't use seiso itself?
I could check if we can drop seiso completely from appuio/container-oc. Afaict this is a legacy tool that we don't use anymore.
Describe the bug
I used govulncheck to scan this repository for vulnerabilities:
Affected modules:
Vulnerabilities:
Additional context
My Go version is 1.23.1. This is the command that I used for the scan:
go install golang.org/x/vuln/cmd/govulncheck@latest; govulncheck ./...
Logs
govulncheck output
Expected behavior
Zero known vulnerabilities but more realistically: Zero known vulnerabilities of critical and high severity.
To Reproduce
Steps to reproduce the behavior:
The text was updated successfully, but these errors were encountered: