govulncheck finds several dependencies with known vulnerabilities

[elchenberg]

Describe the bug

I used govulncheck to scan this repository for vulnerabilities:

Your code is affected by 17 vulnerabilities from 6 modules.

Affected modules:

• github.com/containerd/containerd
• github.com/moby/moby
• github.com/opencontainers/runc
• golang.org/x/crypto
• golang.org/x/net
• gopkg.in/src-d/go-git.v4

Vulnerabilities:

• severity critical: GO-2024-2456 / CVE-2023-49569
• severity high: GO-2022-0278 / CVE-2021-43816
• severity high: GO-2022-0344 / CVE-2022-23648
• severity high: GO-2023-1571 / CVE-2022-41723
• severity high: GO-2023-1627 / CVE-2023-27561
• severity high: GO-2024-2466 / CVE-2023-49568
• severity moderate: GO-2022-0390 / CVE-2022-24769
• severity moderate: GO-2022-0452 / CVE-2022-29162
• severity moderate: GO-2022-0482 / CVE-2022-31030
• severity moderate: GO-2022-1147 / CVE-2022-23471
• severity moderate: GO-2023-1683 / CVE-2023-28642
• severity moderate: GO-2023-2402 / CVE-2023-48795
• severity moderate: GO-2024-2687 / CVE-2023-45288
• severity moderate: GO-2024-2914 / CVE-2021-41190
• severity low: GO-2022-0360
• severity low: GO-2023-1682 / CVE-2023-25809
• severity low: GO-2024-3110 / CVE-2024-45310

Additional context

My Go version is 1.23.1. This is the command that I used for the scan:

go install golang.org/x/vuln/cmd/govulncheck@latest; govulncheck ./...

Logs

govulncheck output

```console === Symbol Results === Vulnerability #1: GO-2024-3110 runc can be confused to create empty files/directories on the host in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2024-3110 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/runc@v1.0.2 Fixed in: github.com/opencontainers/runc@v1.1.14 Example traces found: #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init Vulnerability #2: GO-2024-2914 Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker More info: https://pkg.go.dev/vuln/GO-2024-2914 Module: github.com/moby/moby Found in: github.com/moby/moby@v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible Fixed in: N/A Example traces found: #1: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls blkiodev.init #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls container.init #3: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls errdefs.init [...] Vulnerability #3: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023 Fixed in: golang.org/x/net@v0.23.0 Example traces found: #1: pkg/kubernetes/clients.go:25:26: kubernetes.NewCoreV1Client calls core.NewForConfig, which eventually calls http2.ConfigureTransports #2: cmd/root.go:32:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error #3: main.go:17:28: seiso.main calls fmt.Sprintf, which eventually calls http2.ErrCode.String [...] Vulnerability #4: GO-2024-2466 Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4 More info: https://pkg.go.dev/vuln/GO-2024-2466 Module: gopkg.in/src-d/go-git.v4 Found in: gopkg.in/src-d/go-git.v4@v4.13.1 Fixed in: N/A Example traces found: #1: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadHash #2: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadUint32 #3: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadVariableWidthInt [...] Vulnerability #5: GO-2024-2456 Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4 More info: https://pkg.go.dev/vuln/GO-2024-2456 Module: gopkg.in/src-d/go-git.v4 Found in: gopkg.in/src-d/go-git.v4@v4.13.1 Fixed in: N/A Example traces found: #1: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadHash #2: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadUint32 #3: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadVariableWidthInt [...] Vulnerability #6: GO-2023-2402 Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto More info: https://pkg.go.dev/vuln/GO-2023-2402 Module: golang.org/x/crypto Found in: golang.org/x/crypto@v0.0.0-20210513164829-c07d793c2f9a Fixed in: golang.org/x/crypto@v0.17.0 Example traces found: #1: pkg/namespace/checker_helm.go:38:33: namespace.HelmChecker.NonEmptyNamespaces calls action.List.Run, which eventually calls ssh.extChannel.Read Vulnerability #7: GO-2023-1683 runc AppArmor bypass with symlinked /proc in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2023-1683 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/runc@v1.0.2 Fixed in: github.com/opencontainers/runc@v1.1.5 Example traces found: #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init Vulnerability #8: GO-2023-1682 rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2023-1682 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/runc@v1.0.2 Fixed in: github.com/opencontainers/runc@v1.1.5 Example traces found: #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init Vulnerability #9: GO-2023-1627 Opencontainers runc Incorrect Authorization vulnerability in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2023-1627 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/runc@v1.0.2 Fixed in: github.com/opencontainers/runc@v1.1.5 Example traces found: #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init Vulnerability #10: GO-2023-1571 Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2023-1571 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20210520170846-37e1c6afe023 Fixed in: golang.org/x/net@v0.7.0 Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls hpack.Decoder.Write #2: pkg/kubernetes/clients.go:25:26: kubernetes.NewCoreV1Client calls core.NewForConfig, which eventually calls http2.ConfigureTransports #3: cmd/root.go:32:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error [...] Vulnerability #11: GO-2022-1147 containerd CRI stream server vulnerable to host memory exhaustion via terminal in github.com/containerd/containerd More info: https://pkg.go.dev/vuln/GO-2022-1147 Module: github.com/containerd/containerd Found in: github.com/containerd/containerd@v1.5.7 Fixed in: github.com/containerd/containerd@v1.5.16 Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len [...] Vulnerability #12: GO-2022-0482 containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd More info: https://pkg.go.dev/vuln/GO-2022-0482 Module: github.com/containerd/containerd Found in: github.com/containerd/containerd@v1.5.7 Fixed in: github.com/containerd/containerd@v1.5.13 Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len [...] Vulnerability #13: GO-2022-0452 Default inheritable capabilities for linux container should be empty in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2022-0452 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/runc@v1.0.2 Fixed in: github.com/opencontainers/runc@v1.1.2 Example traces found: #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init Vulnerability #14: GO-2022-0390 Moby (Docker Engine) started with non-empty inheritable Linux process capabilities in github.com/docker/docker More info: https://pkg.go.dev/vuln/GO-2022-0390 Module: github.com/moby/moby Found in: github.com/moby/moby@v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible Fixed in: N/A Example traces found: #1: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls blkiodev.init #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls container.init #3: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls errdefs.init [...] Vulnerability #15: GO-2022-0360 Ambiguous OCI manifest parsing in github.com/containerd/containerd More info: https://pkg.go.dev/vuln/GO-2022-0360 Module: github.com/containerd/containerd Found in: github.com/containerd/containerd@v1.5.7 Fixed in: github.com/containerd/containerd@v1.5.8 Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len [...] Vulnerability #16: GO-2022-0344 containerd CRI plugin: Insecure handling of image volumes in github.com/containerd/containerd More info: https://pkg.go.dev/vuln/GO-2022-0344 Module: github.com/containerd/containerd Found in: github.com/containerd/containerd@v1.5.7 Fixed in: github.com/containerd/containerd@v1.5.10 Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len [...] Vulnerability #17: GO-2022-0278 Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux in github.com/containerd/containerd More info: https://pkg.go.dev/vuln/GO-2022-0278 Module: github.com/containerd/containerd Found in: github.com/containerd/containerd@v1.5.7 Fixed in: github.com/containerd/containerd@v1.5.9 Example traces found: #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len [...] Your code is affected by 17 vulnerabilities from 6 modules. This scan also found 16 vulnerabilities in packages you import and 20 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. ```

Expected behavior

Zero known vulnerabilities but more realistically: Zero known vulnerabilities of critical and high severity.

To Reproduce

Steps to reproduce the behavior:

cd $(mktemp -d)
git clone --depth 1 https://github.com/appuio/seiso.git .
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

[elchenberg]

By the way: I do not know if bug is the correct label. The other option was feature and this does not fit either. :sweat_smile:

[elchenberg]

@tobru Sorry, if you are the wrong person to ping but you were the one responding to my appuio/container-oc PR some weeks ago. :sweat_smile: Is there any chance of getting the dependencies updated?

[haasad]

@elchenberg Do I understand correctly that you're actually concerned about the vulnerability warnings when using appuio/container-oc, but don't use seiso itself? I could check if we can drop seiso completely from appuio/container-oc. Afaict this is a legacy tool that we don't use anymore.