govulncheck finds several dependencies with known vulnerabilities #92
Description
Describe the bug
I used govulncheck to scan this repository for vulnerabilities:
Your code is affected by 17 vulnerabilities from 6 modules.
Affected modules:
- github.com/containerd/containerd
- github.com/moby/moby
- github.com/opencontainers/runc
- golang.org/x/crypto
- golang.org/x/net
- gopkg.in/src-d/go-git.v4
Vulnerabilities:
- severity critical: GO-2024-2456 / CVE-2023-49569
- severity high: GO-2022-0278 / CVE-2021-43816
- severity high: GO-2022-0344 / CVE-2022-23648
- severity high: GO-2023-1571 / CVE-2022-41723
- severity high: GO-2023-1627 / CVE-2023-27561
- severity high: GO-2024-2466 / CVE-2023-49568
- severity moderate: GO-2022-0390 / CVE-2022-24769
- severity moderate: GO-2022-0452 / CVE-2022-29162
- severity moderate: GO-2022-0482 / CVE-2022-31030
- severity moderate: GO-2022-1147 / CVE-2022-23471
- severity moderate: GO-2023-1683 / CVE-2023-28642
- severity moderate: GO-2023-2402 / CVE-2023-48795
- severity moderate: GO-2024-2687 / CVE-2023-45288
- severity moderate: GO-2024-2914 / CVE-2021-41190
- severity low: GO-2022-0360
- severity low: GO-2023-1682 / CVE-2023-25809
- severity low: GO-2024-3110 / CVE-2024-45310
Additional context
My Go version is 1.23.1. This is the command that I used for the scan:
go install golang.org/x/vuln/cmd/govulncheck@latest; govulncheck ./...Logs
govulncheck output
=== Symbol Results ===
Vulnerability #1: GO-2024-3110
runc can be confused to create empty files/directories on the host in
github.com/opencontainers/runc
More info: https://pkg.go.dev/vuln/GO-2024-3110
Module: github.com/opencontainers/runc
Found in: github.com/opencontainers/runc@v1.0.2
Fixed in: github.com/opencontainers/runc@v1.1.14
Example traces found:
#1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
#2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init
Vulnerability #2: GO-2024-2914
Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in
github.com/docker/docker
More info: https://pkg.go.dev/vuln/GO-2024-2914
Module: github.com/moby/moby
Found in: github.com/moby/moby@v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible
Fixed in: N/A
Example traces found:
#1: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls blkiodev.init
#2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls container.init
#3: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls errdefs.init
[...]
Vulnerability #3: GO-2024-2687
HTTP/2 CONTINUATION flood in net/http
More info: https://pkg.go.dev/vuln/GO-2024-2687
Module: golang.org/x/net
Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
Fixed in: golang.org/x/net@v0.23.0
Example traces found:
#1: pkg/kubernetes/clients.go:25:26: kubernetes.NewCoreV1Client calls core.NewForConfig, which eventually calls http2.ConfigureTransports
#2: cmd/root.go:32:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error
#3: main.go:17:28: seiso.main calls fmt.Sprintf, which eventually calls http2.ErrCode.String
[...]
Vulnerability #4: GO-2024-2466
Denial of service in github.com/go-git/go-git/v5 and
gopkg.in/src-d/go-git.v4
More info: https://pkg.go.dev/vuln/GO-2024-2466
Module: gopkg.in/src-d/go-git.v4
Found in: gopkg.in/src-d/go-git.v4@v4.13.1
Fixed in: N/A
Example traces found:
#1: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadHash
#2: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadUint32
#3: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadVariableWidthInt
[...]
Vulnerability #5: GO-2024-2456
Path traversal and RCE in github.com/go-git/go-git/v5 and
gopkg.in/src-d/go-git.v4
More info: https://pkg.go.dev/vuln/GO-2024-2456
Module: gopkg.in/src-d/go-git.v4
Found in: gopkg.in/src-d/go-git.v4@v4.13.1
Fixed in: N/A
Example traces found:
#1: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadHash
#2: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadUint32
#3: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadVariableWidthInt
[...]
Vulnerability #6: GO-2023-2402
Man-in-the-middle attacker can compromise integrity of secure channel in
golang.org/x/crypto
More info: https://pkg.go.dev/vuln/GO-2023-2402
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.0.0-20210513164829-c07d793c2f9a
Fixed in: golang.org/x/crypto@v0.17.0
Example traces found:
#1: pkg/namespace/checker_helm.go:38:33: namespace.HelmChecker.NonEmptyNamespaces calls action.List.Run, which eventually calls ssh.extChannel.Read
Vulnerability #7: GO-2023-1683
runc AppArmor bypass with symlinked /proc in github.com/opencontainers/runc
More info: https://pkg.go.dev/vuln/GO-2023-1683
Module: github.com/opencontainers/runc
Found in: github.com/opencontainers/runc@v1.0.2
Fixed in: github.com/opencontainers/runc@v1.1.5
Example traces found:
#1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
#2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init
Vulnerability #8: GO-2023-1682
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
in github.com/opencontainers/runc
More info: https://pkg.go.dev/vuln/GO-2023-1682
Module: github.com/opencontainers/runc
Found in: github.com/opencontainers/runc@v1.0.2
Fixed in: github.com/opencontainers/runc@v1.1.5
Example traces found:
#1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
#2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init
Vulnerability #9: GO-2023-1627
Opencontainers runc Incorrect Authorization vulnerability in
github.com/opencontainers/runc
More info: https://pkg.go.dev/vuln/GO-2023-1627
Module: github.com/opencontainers/runc
Found in: github.com/opencontainers/runc@v1.0.2
Fixed in: github.com/opencontainers/runc@v1.1.5
Example traces found:
#1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
#2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init
Vulnerability #10: GO-2023-1571
Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
More info: https://pkg.go.dev/vuln/GO-2023-1571
Module: golang.org/x/net
Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023
Fixed in: golang.org/x/net@v0.7.0
Example traces found:
#1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls hpack.Decoder.Write
#2: pkg/kubernetes/clients.go:25:26: kubernetes.NewCoreV1Client calls core.NewForConfig, which eventually calls http2.ConfigureTransports
#3: cmd/root.go:32:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error
[...]
Vulnerability #11: GO-2022-1147
containerd CRI stream server vulnerable to host memory exhaustion via
terminal in github.com/containerd/containerd
More info: https://pkg.go.dev/vuln/GO-2022-1147
Module: github.com/containerd/containerd
Found in: github.com/containerd/containerd@v1.5.7
Fixed in: github.com/containerd/containerd@v1.5.16
Example traces found:
#1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
#2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
#3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
[...]
Vulnerability #12: GO-2022-0482
containerd CRI plugin: Host memory exhaustion through ExecSync in
github.com/containerd/containerd
More info: https://pkg.go.dev/vuln/GO-2022-0482
Module: github.com/containerd/containerd
Found in: github.com/containerd/containerd@v1.5.7
Fixed in: github.com/containerd/containerd@v1.5.13
Example traces found:
#1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
#2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
#3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
[...]
Vulnerability #13: GO-2022-0452
Default inheritable capabilities for linux container should be empty in
github.com/opencontainers/runc
More info: https://pkg.go.dev/vuln/GO-2022-0452
Module: github.com/opencontainers/runc
Found in: github.com/opencontainers/runc@v1.0.2
Fixed in: github.com/opencontainers/runc@v1.1.2
Example traces found:
#1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
#2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init
Vulnerability #14: GO-2022-0390
Moby (Docker Engine) started with non-empty inheritable Linux process
capabilities in github.com/docker/docker
More info: https://pkg.go.dev/vuln/GO-2022-0390
Module: github.com/moby/moby
Found in: github.com/moby/moby@v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible
Fixed in: N/A
Example traces found:
#1: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls blkiodev.init
#2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls container.init
#3: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls errdefs.init
[...]
Vulnerability #15: GO-2022-0360
Ambiguous OCI manifest parsing in github.com/containerd/containerd
More info: https://pkg.go.dev/vuln/GO-2022-0360
Module: github.com/containerd/containerd
Found in: github.com/containerd/containerd@v1.5.7
Fixed in: github.com/containerd/containerd@v1.5.8
Example traces found:
#1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
#2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
#3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
[...]
Vulnerability #16: GO-2022-0344
containerd CRI plugin: Insecure handling of image volumes in
github.com/containerd/containerd
More info: https://pkg.go.dev/vuln/GO-2022-0344
Module: github.com/containerd/containerd
Found in: github.com/containerd/containerd@v1.5.7
Fixed in: github.com/containerd/containerd@v1.5.10
Example traces found:
#1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
#2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
#3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
[...]
Vulnerability #17: GO-2022-0278
Unprivileged pod using `hostPath` can side-step active LSM when it is
SELinux in github.com/containerd/containerd
More info: https://pkg.go.dev/vuln/GO-2022-0278
Module: github.com/containerd/containerd
Found in: github.com/containerd/containerd@v1.5.7
Fixed in: github.com/containerd/containerd@v1.5.9
Example traces found:
#1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
#2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
#3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
[...]
Your code is affected by 17 vulnerabilities from 6 modules.
This scan also found 16 vulnerabilities in packages you import and 20
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.Expected behavior
Zero known vulnerabilities but more realistically: Zero known vulnerabilities of critical and high severity.
To Reproduce
Steps to reproduce the behavior:
cd $(mktemp -d)
git clone --depth 1 https://github.com/appuio/seiso.git .
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...