Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go should be upgraded; currently using 1.20 which is EOL and has security issues #657

Open
candrews opened this issue May 15, 2024 · 2 comments
Open

Go should be upgraded; currently using 1.20 which is EOL and has security issues #657

candrews opened this issue May 15, 2024 · 2 comments
Labels
type:task A general task

Comments

@candrews
Copy link

Expected Behavior

This project currently uses go 1.20 which is EOL and unsupported, see https://go.dev/doc/devel/release It also has security vulnerabilities which scanners such as Trivy report.

Therefore, I believe that this project should upgrade go to 1.21 or better yet 1.22.

Current Behavior

Trivy reports some vulnerabilities, all of which can be addressed by using the latest version of go.

$ docker run -it aquasec/trivy:0.51.1 image gcr.io/paketo-buildpacks/bellsoft-liberica
2024-05-15T16:51:40Z	INFO	Need to update DB
2024-05-15T16:51:40Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
46.24 MiB / 46.24 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 10.48 MiB p/s 4.6s
2024-05-15T16:51:45Z	INFO	Vulnerability scanning is enabled
2024-05-15T16:51:45Z	INFO	Secret scanning is enabled
2024-05-15T16:51:45Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T16:51:45Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T16:51:46Z	INFO	Number of language-specific files	num=2
2024-05-15T16:51:46Z	INFO	[gobinary] Detecting vulnerabilities...

cnb/buildpacks/paketo-buildpacks_bellsoft-liberica/10.7.1/bin/helper (gobinary)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.20.14           │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│         ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│         │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│         │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│         │                │          │        │                   │                │ unknown public key algorithm...                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│         │                │          │        │                   │                │ handled                                                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│         │                │          │        │                   │                │ methods may break template escaping                         │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

cnb/buildpacks/paketo-buildpacks_bellsoft-liberica/10.7.1/bin/main (gobinary)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.20.14           │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│         ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│         │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│         │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│         │                │          │        │                   │                │ unknown public key algorithm...                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│         │                │          │        │                   │                │ handled                                                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│         │                │          │        │                   │                │ methods may break template escaping                         │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

Possible Solution

I suggest that the version of go be updated to the latest version (currently 1.22.3).

Steps to Reproduce

  1. docker run -it aquasec/trivy:0.51.1 image gcr.io/paketo-buildpacks/bellsoft-liberica

Motivations

I don't think these vulnerabilities are exploitable, but they're still present which isn't great. And their presence causes a lot of trouble for those who use automated security scanning systems as such users must suppress these findings.
@dmikusa
Copy link
Contributor

dmikusa commented May 15, 2024

Acknowledged.

It is our estimate that these are not exploitable either. Upgrading to Go is something we have planned, but I believe we hit some issues so we're still sorting through that.

@dmikusa dmikusa added the type:task A general task label May 15, 2024
@candrews
Copy link
Author

I ran docker run -it aquasec/trivy:0.51.1 image gcr.io/paketo-buildpacks/bellsoft-liberica again and confirmed that this issue has been (mostly) resolved.

go 1.22.3 is now being used, which addresses many findings. But, there are still some findings that would be addressed by using go 1.22.4.

$ docker run -it aquasec/trivy:0.51.1 image gcr.io/paketo-buildpacks/bellsoft-liberica:latest
2024-06-17T13:38:41Z	INFO	Need to update DB
2024-06-17T13:38:41Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
48.11 MiB / 48.11 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.75 MiB p/s 5.7s
2024-06-17T13:38:47Z	INFO	Vulnerability scanning is enabled
2024-06-17T13:38:47Z	INFO	Secret scanning is enabled
2024-06-17T13:38:47Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-17T13:38:47Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-06-17T13:38:48Z	INFO	Number of language-specific files	num=2
2024-06-17T13:38:48Z	INFO	[gobinary] Detecting vulnerabilities...

cnb/buildpacks/paketo-buildpacks_bellsoft-liberica/10.8.0/bin/helper (gobinary)

Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24789 │ UNKNOWN  │ fixed  │ 1.22.3            │ 1.21.11, 1.22.4 │ The archive/zip package's handling of certain types of      │
│         │                │          │        │                   │                 │ invalid zip fil ......                                      │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                  │
│         ├────────────────┤          │        │                   │                 ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24790 │          │        │                   │                 │ The various Is methods (IsPrivate, IsLoopback, etc) did not │
│         │                │          │        │                   │                 │ work as ex...                                               │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

cnb/buildpacks/paketo-buildpacks_bellsoft-liberica/10.8.0/bin/main (gobinary)

Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24789 │ UNKNOWN  │ fixed  │ 1.22.3            │ 1.21.11, 1.22.4 │ The archive/zip package's handling of certain types of      │
│         │                │          │        │                   │                 │ invalid zip fil ......                                      │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                  │
│         ├────────────────┤          │        │                   │                 ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24790 │          │        │                   │                 │ The various Is methods (IsPrivate, IsLoopback, etc) did not │
│         │                │          │        │                   │                 │ work as ex...                                               │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:task A general task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@candrews @dmikusa