Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go vulnerability check failed #16

Open
Tracked by #1
oxf71 opened this issue Nov 2, 2023 · 3 comments
Open
Tracked by #1

Go vulnerability check failed #16

oxf71 opened this issue Nov 2, 2023 · 3 comments
Assignees
@0x677261706562616261

Comments

@oxf71
Copy link
Collaborator

oxf71 commented Nov 2, 2023

Dependency Review actions failed

https://github.com/oxf71/b2-node/actions/runs/6730778725/job/18294194448

Run make vulncheck
Makefile:81: RocksDB support is disabled; to build and test with RocksDB support, set ENABLE_ROCKSDB=true
fatal: No names found, cannot describe anything.
mkdir -p /home/runner/work/b2-node/b2-node/build/
GOBIN=/home/runner/work/b2-node/b2-node/build go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v1.0.1
go: downloading golang.org/x/mod v0.12.0
go: downloading golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846
go: downloading golang.org/x/sys v0.11.0
go: downloading golang.org/x/sync v0.3.0
/home/runner/work/b2-node/b2-node/build/govulncheck ./...
Scanning your code and 1126 packages across 159 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2153
    denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc
  More info: https://pkg.go.dev/vuln/GO-2023-2153
  Module: google.golang.org/grpc
    Found in: google.golang.org/[email protected]
    Fixed in: google.golang.org/[email protected]
    Example traces found:
Error:       #1: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls transport.NewServerTransport
Error:       #2: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which calls grpc.NewServer
Error:       #3: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls grpc.Server.Serve

Vulnerability #2: GO-2023-2102
    HTTP/2 rapid reset can cause excessive work in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2102
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
Error:       #1: rpc/websockets.go:114:29: rpc.Start calls http.ListenAndServe
Error:       #2: rpc/websockets.go:116:32: rpc.Start calls http.ListenAndServeTLS
Error:       #3: testutil/network/util.go:134:46: network.startInProcess calls grpc.StartGRPCWeb, which eventually calls http.Server.ListenAndServe
Error:       #4: server/json_rpc.go:103:26: server.StartJSONRPC calls http.Server.Serve
Error:       #5: testutil/network/util.go:82:24: network.startInProcess calls service.BaseService.Start, which eventually calls http.Server.ServeTLS

Vulnerability #3: GO-2023-2043
    Improper handling of special tags within script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2043

How handle vulnerability check results?
@oxf71 oxf71 added this to b2network Nov 2, 2023
@oxf71 oxf71 mentioned this issue Nov 2, 2023
Closed
6 tasks
@oxf71 oxf71 moved this to Backlog in b2network Nov 2, 2023
@0x677261706562616261 0x677261706562616261 self-assigned this Nov 3, 2023
@0x677261706562616261 0x677261706562616261 moved this from Backlog to In Progress in b2network Nov 5, 2023
@0x677261706562616261
Copy link

@oxf71 disable it first

@oxf71
Copy link
Collaborator Author

oxf71 commented Nov 6, 2023

@oxf71 disable it first

ok

@oxf71 oxf71 moved this from In Progress to Done in b2network Nov 7, 2023
@oxf71 oxf71 closed this as completed Nov 7, 2023
@oxf71 oxf71 reopened this Jan 24, 2024
@oxf71
Copy link
Collaborator Author

oxf71 commented Jan 24, 2024 


➜  b2-node git:(main)  git rev-parse --short=7 HEAD
7e42338
➜  b2-node git:(main) make vulncheck               
Makefile:81: RocksDB support is disabled; to build and test with RocksDB support, set ENABLE_ROCKSDB=true
fatal: No names found, cannot describe anything.
GOBIN=/Volumes/dev/work/blockchain/b2network/b2-node/build go install golang.org/x/vuln/cmd/govulncheck@latest
/Volumes/dev/work/blockchain/b2network/b2-node/build/govulncheck ./...
Scanning your code and 1129 packages across 159 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2409
    Denial of service when decrypting attack controlled input in
    github.com/dvsekhvalnov/jose2go
  More info: https://pkg.go.dev/vuln/GO-2023-2409
  Module: github.com/dvsekhvalnov/jose2go
    Found in: github.com/dvsekhvalnov/[email protected]
    Fixed in: github.com/dvsekhvalnov/[email protected]
    Example traces found:
      #1: rpc/backend/node_info.go:211:47: backend.Backend.ImportRawKey calls keyring.keystore.KeyByAddress, which eventually calls jose2go.Decode
      #2: client/keys/add.go:102:18: keys.RunAddCmd calls keyring.keystore.Key, which eventually calls jose2go.Encrypt

Vulnerability #2: GO-2023-2382
    Denial of service via chunk extensions in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2382
  Standard library
    Found in: net/http/[email protected]
    Fixed in: net/http/[email protected]
    Example traces found:
      #1: rpc/websockets.go:331:25: rpc.websocketsServer.tcpGetAndSendResponse calls io.ReadAll, which eventually calls internal.chunkedReader.Read

Vulnerability #3: GO-2023-2185
    Insecure parsing of Windows paths with a \??\ prefix in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2185
  Standard library
    Found in: path/[email protected]
    Fixed in: path/[email protected]
    Platforms: windows
    Example traces found:
      #1: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.Abs
      #2: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.Abs
      #3: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.Base
      #4: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.Base
      #5: rpc/namespaces/ethereum/debug/utils.go:51:23: debug.ExpandHome calls filepath.Clean
      #6: rpc/namespaces/ethereum/debug/utils.go:51:23: debug.ExpandHome calls filepath.Clean
      #7: testutil/network/network.go:382:62: network.New calls genutil.InitializeNodeValidatorFiles, which eventually calls filepath.Dir
      #8: testutil/network/network.go:382:62: network.New calls genutil.InitializeNodeValidatorFiles, which eventually calls filepath.Dir
      #9: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.EvalSymlinks
      #10: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.EvalSymlinks
      #11: testutil/network/network.go:642:15: network.Network.Cleanup calls grpc.Server.Stop, which eventually calls filepath.Glob
      #12: testutil/network/network.go:642:15: network.Network.Cleanup calls grpc.Server.Stop, which eventually calls filepath.Glob
      #13: app/app.go:834:25: app.RegisterSwaggerAPI calls fs.New, which eventually calls filepath.IsLocal
      #14: app/app.go:834:25: app.RegisterSwaggerAPI calls fs.New, which eventually calls filepath.IsLocal
      #15: server/start.go:654:26: server.OpenIndexerDB calls filepath.Join
      #16: server/start.go:654:26: server.OpenIndexerDB calls filepath.Join
      #17: rpc/namespaces/ethereum/eth/api.go:495:16: eth.PublicAPI.GetPendingTransactions calls server.ZeroLogWrapper.Debug, which eventually calls filepath.Rel
      #18: rpc/namespaces/ethereum/eth/api.go:495:16: eth.PublicAPI.GetPendingTransactions calls server.ZeroLogWrapper.Debug, which eventually calls filepath.Rel
      #19: testutil/network/util.go:185:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls filepath.Split
      #20: testutil/network/util.go:185:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls filepath.Split
      #21: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.VolumeName
      #22: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.VolumeName
      #23: rpc/backend/node_info.go:234:39: backend.Backend.ListAccounts calls keyring.keystore.List, which eventually calls filepath.Walk
      #24: rpc/backend/node_info.go:234:39: backend.Backend.ListAccounts calls keyring.keystore.List, which eventually calls filepath.Walk

Vulnerability #4: GO-2023-2153
    Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc
  More info: https://pkg.go.dev/vuln/GO-2023-2153
  Module: google.golang.org/grpc
    Found in: google.golang.org/[email protected]
    Fixed in: google.golang.org/[email protected]
    Example traces found:
      #1: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which calls grpc.NewServer
      #2: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls transport.NewServerTransport
      #3: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls grpc.Server.Serve

Vulnerability #5: GO-2023-1881
    The x/crisis package does not charge ConstantFee in
    github.com/cosmos/cosmos-sdk
  More info: https://pkg.go.dev/vuln/GO-2023-1881
  Module: github.com/cosmos/cosmos-sdk
    Found in: github.com/cosmos/[email protected]
    Fixed in: N/A
    Example traces found:
      #1: cmd/ethermintd/root.go:155:27: ethermintd.addModuleInitFlags calls crisis.AddModuleInitFlags
      #2: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.ConsensusVersion
      #3: app/app.go:702:24: app.EthermintApp.EndBlocker calls module.Manager.EndBlock, which calls crisis.AppModule.EndBlock
      #4: app/export.go:59:34: app.EthermintApp.ExportAppStateAndValidators calls module.Manager.ExportGenesis, which calls crisis.AppModule.ExportGenesis
      #5: app/app.go:712:27: app.EthermintApp.InitChainer calls module.Manager.InitGenesis, which calls crisis.AppModule.InitGenesis
      #6: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.LegacyQuerierHandler
      #7: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.Name
      #8: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.QuerierRoute
      #9: app/app.go:606:27: app.NewEthermintApp calls module.Manager.RegisterInvariants, which calls crisis.AppModule.RegisterInvariants
      #10: app/app.go:609:25: app.NewEthermintApp calls module.Manager.RegisterServices, which calls crisis.AppModule.RegisterServices
      #11: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.Route
      #12: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.DefaultGenesis
      #13: cmd/ethermintd/root.go:176:35: ethermintd.queryCommand calls module.BasicManager.AddQueryCommands, which calls crisis.AppModuleBasic.GetQueryCmd
      #14: cmd/ethermintd/root.go:203:32: ethermintd.txCommand calls module.BasicManager.AddTxCommands, which calls crisis.AppModuleBasic.GetTxCmd
      #15: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.Name
      #16: app/app.go:803:40: app.EthermintApp.RegisterAPIRoutes calls module.BasicManager.RegisterGRPCGatewayRoutes, which calls crisis.AppModuleBasic.RegisterGRPCGatewayRoutes
      #17: encoding/config.go:44:23: encoding.MakeConfig calls module.BasicManager.RegisterInterfaces, which calls crisis.AppModuleBasic.RegisterInterfaces
      #18: encoding/config.go:42:29: encoding.MakeConfig calls module.BasicManager.RegisterLegacyAminoCodec, which calls crisis.AppModuleBasic.RegisterLegacyAminoCodec
      #19: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls crisis.AppModuleBasic.ValidateGenesis
      #20: app/app.go:494:22: app.NewEthermintApp calls crisis.NewAppModule

Vulnerability #6: GO-2023-1861
    Cosmos "Barberry" vulnerability in github.com/cosmos/cosmos-sdk
  More info: https://pkg.go.dev/vuln/GO-2023-1861
  Module: github.com/cosmos/cosmos-sdk
    Found in: github.com/cosmos/[email protected]
    Fixed in: github.com/cosmos/[email protected]
    Example traces found:
      #1: testutil/network/util.go:185:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls types.MsgCreatePeriodicVestingAccount.ValidateBasic

Vulnerability #7: GO-2023-1860
    IBC protocol "Huckleberry" vulnerability in github.com/cosmos/ibc-go
  More info: https://pkg.go.dev/vuln/GO-2023-1860
  Module: github.com/cosmos/ibc-go/v6
    Found in: github.com/cosmos/ibc-go/[email protected]
    Fixed in: github.com/cosmos/ibc-go/[email protected]
    Example traces found:
      #1: app/ante/eth.go:376:13: ante.EthIncrementSenderSequenceDecorator.AnteHandle calls types.ChainAnteDecorators, which eventually calls keeper.Keeper.RecvPacket
      #2: x/evm/types/tx.pb.go:587:19: types.RegisterMsgServer calls baseapp.MsgServiceRouter.RegisterService, which eventually calls keeper.Keeper.UnreceivedPackets

Vulnerability #8: GO-2023-1821
    The x/crisis package does not cause chain halt in
    github.com/cosmos/cosmos-sdk
  More info: https://pkg.go.dev/vuln/GO-2023-1821
  Module: github.com/cosmos/cosmos-sdk
    Found in: github.com/cosmos/[email protected]
    Fixed in: N/A
    Example traces found:
      #1: cmd/ethermintd/root.go:155:27: ethermintd.addModuleInitFlags calls crisis.AddModuleInitFlags
      #2: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.ConsensusVersion
      #3: app/app.go:702:24: app.EthermintApp.EndBlocker calls module.Manager.EndBlock, which calls crisis.AppModule.EndBlock
      #4: app/export.go:59:34: app.EthermintApp.ExportAppStateAndValidators calls module.Manager.ExportGenesis, which calls crisis.AppModule.ExportGenesis
      #5: app/app.go:712:27: app.EthermintApp.InitChainer calls module.Manager.InitGenesis, which calls crisis.AppModule.InitGenesis
      #6: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.LegacyQuerierHandler
      #7: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.Name
      #8: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.QuerierRoute
      #9: app/app.go:606:27: app.NewEthermintApp calls module.Manager.RegisterInvariants, which calls crisis.AppModule.RegisterInvariants
      #10: app/app.go:609:25: app.NewEthermintApp calls module.Manager.RegisterServices, which calls crisis.AppModule.RegisterServices
      #11: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.Route
      #12: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.DefaultGenesis
      #13: cmd/ethermintd/root.go:176:35: ethermintd.queryCommand calls module.BasicManager.AddQueryCommands, which calls crisis.AppModuleBasic.GetQueryCmd
      #14: cmd/ethermintd/root.go:203:32: ethermintd.txCommand calls module.BasicManager.AddTxCommands, which calls crisis.AppModuleBasic.GetTxCmd
      #15: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.Name
      #16: app/app.go:803:40: app.EthermintApp.RegisterAPIRoutes calls module.BasicManager.RegisterGRPCGatewayRoutes, which calls crisis.AppModuleBasic.RegisterGRPCGatewayRoutes
      #17: encoding/config.go:44:23: encoding.MakeConfig calls module.BasicManager.RegisterInterfaces, which calls crisis.AppModuleBasic.RegisterInterfaces
      #18: encoding/config.go:42:29: encoding.MakeConfig calls module.BasicManager.RegisterLegacyAminoCodec, which calls crisis.AppModuleBasic.RegisterLegacyAminoCodec
      #19: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls crisis.AppModuleBasic.ValidateGenesis
      #20: app/app.go:494:22: app.NewEthermintApp calls crisis.NewAppModule

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no
call stacks leading to the use of this vulnerability. There are also 4
vulnerabilities in modules that you require that are neither imported
nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Vulnerability #2: GO-2023-2102
    HTTP/2 rapid reset can cause excessive work in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2102
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Vulnerability #3: GO-2023-2046
    Unbounded memory consumption in github.com/ethereum/go-ethereum
  More info: https://pkg.go.dev/vuln/GO-2023-2046
  Module: github.com/ethereum/go-ethereum
    Found in: github.com/ethereum/[email protected]
    Fixed in: github.com/ethereum/[email protected]

Vulnerability #4: GO-2023-1988
    Improper rendering of text nodes in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2023-1988
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Vulnerability #5: GO-2022-0646
    Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go
  More info: https://pkg.go.dev/vuln/GO-2022-0646
  Module: github.com/aws/aws-sdk-go
    Found in: github.com/aws/[email protected]
    Fixed in: N/A

Your code is affected by 8 vulnerabilities from 4 modules and the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback.
make: *** [vulncheck] Error 3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0x677261706562616261 0x677261706562616261

Labels
None yet
Projects
b2network
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0x677261706562616261 @oxf71