Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go-vulnerability-scan is failing CI #8584

Closed
phil-davis opened this issue Mar 6, 2024 · 1 comment · Fixed by #8586
Closed

go-vulnerability-scan is failing CI #8584

phil-davis opened this issue Mar 6, 2024 · 1 comment · Fixed by #8586
Labels
Type:Bug

Comments

@phil-davis
Copy link
Contributor

Describe the bug

go-vulnerability-scan is failing CI

Steps to reproduce

Run CI

Expected behavior

go-vulnerability-scan passes

Actual behavior

go-vulnerability-scan fails

https://drone.owncloud.com/owncloud/ocis/32659/9/6

Scanning your code and 1692 packages across 318 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/[email protected]
    Fixed in: google.golang.org/[email protected]
    Example traces found:
      #1: services/store/pkg/service/v0/service.go:92:31: service.Service.Read calls protojson.Unmarshal, which eventually calls json.Decoder.Peek
      #2: services/store/pkg/service/v0/service.go:92:31: service.Service.Read calls protojson.Unmarshal, which eventually calls json.Decoder.Read
      #3: services/store/pkg/service/v0/service.go:92:31: service.Service.Read calls protojson.Unmarshal
      #4: protogen/gen/ocis/services/settings/v0/settings.pb.web.go:1486:59: settings.GetPermissionByIDResponse.UnmarshalJSON calls jsonpb.Unmarshaler.Unmarshal, which eventually calls protojson.UnmarshalOptions.Unmarshal

Vulnerability #2: GO-2024-2610
    Errors returned from JSON marshaling may break template escaping in
    html/template
  More info: https://pkg.go.dev/vuln/GO-2024-2610
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]
    Example traces found:
      #1: services/notifications/pkg/email/email.go:91:23: email.executeTemplate calls template.Template.Execute
      #2: services/proxy/pkg/middleware/account_resolver.go:89:19: middleware.accountResolver.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate

Vulnerability #3: GO-2024-2609
    Comments in display names are incorrectly handled in net/mail
  More info: https://pkg.go.dev/vuln/GO-2024-2609
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
      #1: services/notifications/pkg/channels/channels.go:117:98: channels.Mail.SendMessage calls simple.Email.AddTo, which eventually calls mail.Address.String
      #2: services/notifications/pkg/channels/channels.go:117:98: channels.Mail.SendMessage calls simple.Email.AddTo, which eventually calls mail.ParseAddress

Vulnerability #4: GO-2024-2600
    Incorrect forwarding of sensitive headers and cookies on HTTP redirect in
    net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2600
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
      #1: ocis-pkg/oidc/client.go:238:30: oidc.oidcClient.UserInfo calls http.Client.Do
      #2: ocis-pkg/oidc/metadata.go:101:25: oidc.GetIDPMetadata calls http.Client.Get
      #3: services/search/pkg/command/health.go:25:25: command.Health calls http.Get
      #4: ocis-pkg/oidc/client.go:238:30: oidc.oidcClient.UserInfo calls http.Client.Do, which eventually calls cookiejar.Jar.Cookies
      #5: ocis-pkg/oidc/client.go:238:30: oidc.oidcClient.UserInfo calls http.Client.Do, which eventually calls cookiejar.Jar.SetCookies

Vulnerability #5: GO-2024-2599
    Memory exhaustion in multipart form parsing in net/textproto and net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2599
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
      #1: services/antivirus/pkg/scanners/icap.go:59:28: scanners.ICAP.Scan calls icap.Client.Do, which eventually calls textproto.Reader.ReadLine
      #2: services/antivirus/pkg/scanners/icap.go:59:28: scanners.ICAP.Scan calls icap.Client.Do, which eventually calls textproto.Reader.ReadMIMEHeader
      #3: services/notifications/pkg/channels/channels.go:95:35: channels.Mail.getMailClient calls simple.SMTPServer.Connect, which eventually calls textproto.Reader.ReadResponse

Vulnerability #6: GO-2024-2598
    Verify panics on certificates with an unknown public key algorithm in
    crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2024-2598
  Standard library
    Found in: crypto/[email protected]
    Fixed in: crypto/[email protected]
    Example traces found:
      #1: services/nats/pkg/server/nats/nats.go:27:34: nats.NewNATSServer calls server.NewServer, which eventually calls x509.Certificate.Verify

Your code is affected by 6 vulnerabilities from 1 module and the Go standard library.
Share feedback at https://go.dev/s/govulncheck-feedback.
make: *** [Makefile:279: govulncheck] Error 3

And same for stable-5.0
https://drone.owncloud.com/owncloud/ocis/32664/9/6

It seems to have started failing last night.

Setup

CI
@micbar
Copy link
Contributor

micbar commented Mar 6, 2024

We need to bump the golang version in our docker image.

@phil-davis phil-davis mentioned this issue Mar 6, 2024
Merged
9 tasks
@fschade fschade mentioned this issue Mar 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type:Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[full-ci] chore: bump dependencies and go to 1.22 fschade/ocis
2 participants
@phil-davis @micbar