search

aquasecurity / trivy-db

Apache License 2.0
215 stars 131 forks source link

feat(go): add vulndb #398

Closed knqyf263 closed 4 months ago

knqyf263 commented 4 months ago

Description

Since GHSA doesn't eagerly review Go runtime/toolchain vulnerabilities (see https://github.com/aquasecurity/vuln-list-update/issues/288#issuecomment-2069271945), we parse the Go Vulnerability Database for Go runtime vulnerabilities.

trivy (gobinary)

Total: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 11, HIGH: 3, CRITICAL: 3)

┌────────────────────────────────┬────────────────┬──────────┬──────────┬──────────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │  Status  │  Installed Version   │ Fixed Version  │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼──────────┼──────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
...
├────────────────────────────────┼────────────────┼──────────┤          ├──────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                         │ CVE-2023-45288 │ HIGH     │          │ 1.21.6               │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of           │
│                                │                │          │          │                      │                │ CONTINUATION frames causes DoS                               │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                                ├────────────────┼──────────┤          │                      ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-45289 │ MEDIUM   │          │                      │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of          │
│                                │                │          │          │                      │                │ sensitive headers and cookies on HTTP redirect...            │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│                                ├────────────────┤          │          │                      │                ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-45290 │          │          │                      │                │ golang: net/http: memory exhaustion in                       │
│                                │                │          │          │                      │                │ Request.ParseMultipartForm                                   │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│                                ├────────────────┤          │          │                      │                ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-24783 │          │          │                      │                │ golang: crypto/x509: Verify panics on certificates with an   │
│                                │                │          │          │                      │                │ unknown public key algorithm...                              │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│                                ├────────────────┤          │          │                      │                ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-24784 │          │          │                      │                │ golang: net/mail: comments in display names are incorrectly  │
│                                │                │          │          │                      │                │ handled                                                      │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│                                ├────────────────┤          │          │                      │                ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-24785 │          │          │                      │                │ golang: html/template: errors returned from MarshalJSON      │
│                                │                │          │          │                      │                │ methods may break template escaping                          │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
└────────────────────────────────┴────────────────┴──────────┴──────────┴──────────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

Issue

knqyf263 commented 4 months ago

@DmitriyLewen Could you play with my change and add unit tests?

DmitriyLewen commented 4 months ago

@knqyf263 LGTM. I added tests.

knqyf263 commented 4 months ago

@DmitriyLewen Thanks! Can you approve it?

DmitriyLewen commented 4 months ago

@knqyf263 Done!