go-getter is vulnerable to argument injection

[Starttoaster]

HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.

See the module entry in go.mod: https://github.com/aquasecurity/trivy-operator/blob/main/go.mod#L173

https://avd.aquasec.com/nvd/2024/cve-2024-3817/ https://nvd.nist.gov/vuln/detail/CVE-2024-3817

This is being classed with a CVE score of 9.8, so this is just a request to update that dependency. Where that vulnerability is apparently resolved in v1.7.4. https://github.com/hashicorp/go-getter/releases/tag/v1.7.4

[rgarcia89]

It is really annoying to see this showing up now as vulnerability in every image when doing a rootfs scan using the trivy operator now...

[rgarcia89]

I would like to mention that I am on the latest release

NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
trivy-operator  trivy-operator  47              2024-04-22 14:37:46.65427854 +0200 CEST deployed        trivy-operator-0.22.0   0.20.0

From my understand this fix should be included in v0.20.0. However, it is still showing up in every scan. I have manually excluded it now until further notice using

  # ignoreFile: ~
  ignoreFile:
    - CVE-2024-3817

[rgarcia89]

I see it is coming from ghcr.io/aquasecurity/trivy:0.50.1

trivy image --ignore-unfixed ghcr.io/aquasecurity/trivy:0.50.1
2024-04-22T14:51:14.757+0200    INFO    Vulnerability scanning is enabled
2024-04-22T14:51:14.757+0200    INFO    Secret scanning is enabled
2024-04-22T14:51:14.757+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-22T14:51:14.757+0200    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-04-22T14:51:17.178+0200    INFO    Detected OS: alpine
2024-04-22T14:51:17.178+0200    INFO    Detecting Alpine vulnerabilities...
2024-04-22T14:51:17.184+0200    INFO    Number of language-specific files: 1
2024-04-22T14:51:17.184+0200    INFO    Detecting gobinary vulnerabilities...

ghcr.io/aquasecurity/trivy:0.50.1 (alpine 3.19.1)

Total: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-2511 │ LOW      │ fixed  │ 3.1.4-r5          │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in │
│            │               │          │        │                   │               │ TLSv1.3                                                   │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                 │
├────────────┤               │          │        │                   │               │                                                           │
│ libssl3    │               │          │        │                   │               │                                                           │
│            │               │          │        │                   │               │                                                           │
│            │               │          │        │                   │               │                                                           │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

usr/local/bin/trivy (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 1)

┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817  │ CRITICAL │ fixed  │ v1.7.3            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                │          │        │                   │               │ injection ...                                                │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
├────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net               │ CVE-2023-45288 │ MEDIUM   │        │ v0.21.0           │ 0.23.0        │ golang: net/http, x/net/http2: unlimited number of           │
│                                │                │          │        │                   │               │ CONTINUATION frames causes DoS                               │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
└────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[chen-keinan]

@rgarcia89 its true, its fixed in trivy-operator but not in trivy yet. should be fixed with next trivy version one it will be out, I'll bump trivy version in trivy-operator