search

b2network / b2-node

Ethermint is a Cosmos SDK library for running scalable and interoperable EVM chains
https://docs.evmos.org/
GNU Lesser General Public License v3.0
3 stars 7 forks source link

Go vulnerability check failed #16

Open oxf71 opened 8 months ago

oxf71 commented 8 months ago

Dependency Review actions failed

https://github.com/oxf71/b2-node/actions/runs/6730778725/job/18294194448

Run make vulncheck
Makefile:81: RocksDB support is disabled; to build and test with RocksDB support, set ENABLE_ROCKSDB=true
fatal: No names found, cannot describe anything.
mkdir -p /home/runner/work/b2-node/b2-node/build/
GOBIN=/home/runner/work/b2-node/b2-node/build go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v1.0.1
go: downloading golang.org/x/mod v0.12.0
go: downloading golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846
go: downloading golang.org/x/sys v0.11.0
go: downloading golang.org/x/sync v0.3.0
/home/runner/work/b2-node/b2-node/build/govulncheck ./...
Scanning your code and 1126 packages across 159 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2153
    denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc
  More info: https://pkg.go.dev/vuln/GO-2023-2153
  Module: google.golang.org/grpc
    Found in: google.golang.org/grpc@v1.54.0
    Fixed in: google.golang.org/grpc@v1.58.3
    Example traces found:
Error:       #1: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls transport.NewServerTransport
Error:       #2: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which calls grpc.NewServer
Error:       #3: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls grpc.Server.Serve

Vulnerability #2: GO-2023-2102
    HTTP/2 rapid reset can cause excessive work in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2102
  Standard library
    Found in: net/http@go1.19.13
    Fixed in: net/http@go1.21.3
    Example traces found:
Error:       #1: rpc/websockets.go:114:29: rpc.Start calls http.ListenAndServe
Error:       #2: rpc/websockets.go:116:32: rpc.Start calls http.ListenAndServeTLS
Error:       #3: testutil/network/util.go:134:46: network.startInProcess calls grpc.StartGRPCWeb, which eventually calls http.Server.ListenAndServe
Error:       #4: server/json_rpc.go:103:26: server.StartJSONRPC calls http.Server.Serve
Error:       #5: testutil/network/util.go:82:24: network.startInProcess calls service.BaseService.Start, which eventually calls http.Server.ServeTLS

Vulnerability #3: GO-2023-2043
    Improper handling of special tags within script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2043

How handle vulnerability check results?

0x677261706562616261 commented 8 months ago

@oxf71 disable it first

oxf71 commented 8 months ago

@oxf71 disable it first

ok

oxf71 commented 5 months ago 

➜  b2-node git:(main)  git rev-parse --short=7 HEAD
7e42338
➜  b2-node git:(main) make vulncheck               
Makefile:81: RocksDB support is disabled; to build and test with RocksDB support, set ENABLE_ROCKSDB=true
fatal: No names found, cannot describe anything.
GOBIN=/Volumes/dev/work/blockchain/b2network/b2-node/build go install golang.org/x/vuln/cmd/govulncheck@latest
/Volumes/dev/work/blockchain/b2network/b2-node/build/govulncheck ./...
Scanning your code and 1129 packages across 159 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2409
    Denial of service when decrypting attack controlled input in
    github.com/dvsekhvalnov/jose2go
  More info: https://pkg.go.dev/vuln/GO-2023-2409
  Module: github.com/dvsekhvalnov/jose2go
    Found in: github.com/dvsekhvalnov/jose2go@v1.5.0
    Fixed in: github.com/dvsekhvalnov/jose2go@v1.5.1-0.20231206184617-48ba0b76bc88
    Example traces found:
      #1: rpc/backend/node_info.go:211:47: backend.Backend.ImportRawKey calls keyring.keystore.KeyByAddress, which eventually calls jose2go.Decode
      #2: client/keys/add.go:102:18: keys.RunAddCmd calls keyring.keystore.Key, which eventually calls jose2go.Encrypt

Vulnerability #2: GO-2023-2382
    Denial of service via chunk extensions in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2382
  Standard library
    Found in: net/http/internal@go1.21.4
    Fixed in: net/http/internal@go1.21.5
    Example traces found:
      #1: rpc/websockets.go:331:25: rpc.websocketsServer.tcpGetAndSendResponse calls io.ReadAll, which eventually calls internal.chunkedReader.Read

Vulnerability #3: GO-2023-2185
    Insecure parsing of Windows paths with a \??\ prefix in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2185
  Standard library
    Found in: path/filepath@go1.21.4
    Fixed in: path/filepath@go1.21.5
    Platforms: windows
    Example traces found:
      #1: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.Abs
      #2: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.Abs
      #3: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.Base
      #4: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.Base
      #5: rpc/namespaces/ethereum/debug/utils.go:51:23: debug.ExpandHome calls filepath.Clean
      #6: rpc/namespaces/ethereum/debug/utils.go:51:23: debug.ExpandHome calls filepath.Clean
      #7: testutil/network/network.go:382:62: network.New calls genutil.InitializeNodeValidatorFiles, which eventually calls filepath.Dir
      #8: testutil/network/network.go:382:62: network.New calls genutil.InitializeNodeValidatorFiles, which eventually calls filepath.Dir
      #9: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.EvalSymlinks
      #10: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.EvalSymlinks
      #11: testutil/network/network.go:642:15: network.Network.Cleanup calls grpc.Server.Stop, which eventually calls filepath.Glob
      #12: testutil/network/network.go:642:15: network.Network.Cleanup calls grpc.Server.Stop, which eventually calls filepath.Glob
      #13: app/app.go:834:25: app.RegisterSwaggerAPI calls fs.New, which eventually calls filepath.IsLocal
      #14: app/app.go:834:25: app.RegisterSwaggerAPI calls fs.New, which eventually calls filepath.IsLocal
      #15: server/start.go:654:26: server.OpenIndexerDB calls filepath.Join
      #16: server/start.go:654:26: server.OpenIndexerDB calls filepath.Join
      #17: rpc/namespaces/ethereum/eth/api.go:495:16: eth.PublicAPI.GetPendingTransactions calls server.ZeroLogWrapper.Debug, which eventually calls filepath.Rel
      #18: rpc/namespaces/ethereum/eth/api.go:495:16: eth.PublicAPI.GetPendingTransactions calls server.ZeroLogWrapper.Debug, which eventually calls filepath.Rel
      #19: testutil/network/util.go:185:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls filepath.Split
      #20: testutil/network/util.go:185:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls filepath.Split
      #21: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.VolumeName
      #22: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.VolumeName
      #23: rpc/backend/node_info.go:234:39: backend.Backend.ListAccounts calls keyring.keystore.List, which eventually calls filepath.Walk
      #24: rpc/backend/node_info.go:234:39: backend.Backend.ListAccounts calls keyring.keystore.List, which eventually calls filepath.Walk

Vulnerability #4: GO-2023-2153
    Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc
  More info: https://pkg.go.dev/vuln/GO-2023-2153
  Module: google.golang.org/grpc
    Found in: google.golang.org/grpc@v1.54.0
    Fixed in: google.golang.org/grpc@v1.56.3
    Example traces found:
      #1: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which calls grpc.NewServer
      #2: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls transport.NewServerTransport
      #3: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls grpc.Server.Serve

Vulnerability #5: GO-2023-1881
    The x/crisis package does not charge ConstantFee in
    github.com/cosmos/cosmos-sdk
  More info: https://pkg.go.dev/vuln/GO-2023-1881
  Module: github.com/cosmos/cosmos-sdk
    Found in: github.com/cosmos/cosmos-sdk@v0.46.11
    Fixed in: N/A
    Example traces found:
      #1: cmd/ethermintd/root.go:155:27: ethermintd.addModuleInitFlags calls crisis.AddModuleInitFlags
      #2: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.ConsensusVersion
      #3: app/app.go:702:24: app.EthermintApp.EndBlocker calls module.Manager.EndBlock, which calls crisis.AppModule.EndBlock
      #4: app/export.go:59:34: app.EthermintApp.ExportAppStateAndValidators calls module.Manager.ExportGenesis, which calls crisis.AppModule.ExportGenesis
      #5: app/app.go:712:27: app.EthermintApp.InitChainer calls module.Manager.InitGenesis, which calls crisis.AppModule.InitGenesis
      #6: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.LegacyQuerierHandler
      #7: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.Name
      #8: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.QuerierRoute
      #9: app/app.go:606:27: app.NewEthermintApp calls module.Manager.RegisterInvariants, which calls crisis.AppModule.RegisterInvariants
      #10: app/app.go:609:25: app.NewEthermintApp calls module.Manager.RegisterServices, which calls crisis.AppModule.RegisterServices
      #11: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.Route
      #12: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.DefaultGenesis
      #13: cmd/ethermintd/root.go:176:35: ethermintd.queryCommand calls module.BasicManager.AddQueryCommands, which calls crisis.AppModuleBasic.GetQueryCmd
      #14: cmd/ethermintd/root.go:203:32: ethermintd.txCommand calls module.BasicManager.AddTxCommands, which calls crisis.AppModuleBasic.GetTxCmd
      #15: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.Name
      #16: app/app.go:803:40: app.EthermintApp.RegisterAPIRoutes calls module.BasicManager.RegisterGRPCGatewayRoutes, which calls crisis.AppModuleBasic.RegisterGRPCGatewayRoutes
      #17: encoding/config.go:44:23: encoding.MakeConfig calls module.BasicManager.RegisterInterfaces, which calls crisis.AppModuleBasic.RegisterInterfaces
      #18: encoding/config.go:42:29: encoding.MakeConfig calls module.BasicManager.RegisterLegacyAminoCodec, which calls crisis.AppModuleBasic.RegisterLegacyAminoCodec
      #19: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls crisis.AppModuleBasic.ValidateGenesis
      #20: app/app.go:494:22: app.NewEthermintApp calls crisis.NewAppModule

Vulnerability #6: GO-2023-1861
    Cosmos "Barberry" vulnerability in github.com/cosmos/cosmos-sdk
  More info: https://pkg.go.dev/vuln/GO-2023-1861
  Module: github.com/cosmos/cosmos-sdk
    Found in: github.com/cosmos/cosmos-sdk@v0.46.11
    Fixed in: github.com/cosmos/cosmos-sdk@v0.46.13
    Example traces found:
      #1: testutil/network/util.go:185:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls types.MsgCreatePeriodicVestingAccount.ValidateBasic

Vulnerability #7: GO-2023-1860
    IBC protocol "Huckleberry" vulnerability in github.com/cosmos/ibc-go
  More info: https://pkg.go.dev/vuln/GO-2023-1860
  Module: github.com/cosmos/ibc-go/v6
    Found in: github.com/cosmos/ibc-go/v6@v6.1.0
    Fixed in: github.com/cosmos/ibc-go/v6@v6.1.1
    Example traces found:
      #1: app/ante/eth.go:376:13: ante.EthIncrementSenderSequenceDecorator.AnteHandle calls types.ChainAnteDecorators, which eventually calls keeper.Keeper.RecvPacket
      #2: x/evm/types/tx.pb.go:587:19: types.RegisterMsgServer calls baseapp.MsgServiceRouter.RegisterService, which eventually calls keeper.Keeper.UnreceivedPackets

Vulnerability #8: GO-2023-1821
    The x/crisis package does not cause chain halt in
    github.com/cosmos/cosmos-sdk
  More info: https://pkg.go.dev/vuln/GO-2023-1821
  Module: github.com/cosmos/cosmos-sdk
    Found in: github.com/cosmos/cosmos-sdk@v0.46.11
    Fixed in: N/A
    Example traces found:
      #1: cmd/ethermintd/root.go:155:27: ethermintd.addModuleInitFlags calls crisis.AddModuleInitFlags
      #2: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.ConsensusVersion
      #3: app/app.go:702:24: app.EthermintApp.EndBlocker calls module.Manager.EndBlock, which calls crisis.AppModule.EndBlock
      #4: app/export.go:59:34: app.EthermintApp.ExportAppStateAndValidators calls module.Manager.ExportGenesis, which calls crisis.AppModule.ExportGenesis
      #5: app/app.go:712:27: app.EthermintApp.InitChainer calls module.Manager.InitGenesis, which calls crisis.AppModule.InitGenesis
      #6: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.LegacyQuerierHandler
      #7: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.Name
      #8: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.QuerierRoute
      #9: app/app.go:606:27: app.NewEthermintApp calls module.Manager.RegisterInvariants, which calls crisis.AppModule.RegisterInvariants
      #10: app/app.go:609:25: app.NewEthermintApp calls module.Manager.RegisterServices, which calls crisis.AppModule.RegisterServices
      #11: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.Route
      #12: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.DefaultGenesis
      #13: cmd/ethermintd/root.go:176:35: ethermintd.queryCommand calls module.BasicManager.AddQueryCommands, which calls crisis.AppModuleBasic.GetQueryCmd
      #14: cmd/ethermintd/root.go:203:32: ethermintd.txCommand calls module.BasicManager.AddTxCommands, which calls crisis.AppModuleBasic.GetTxCmd
      #15: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.Name
      #16: app/app.go:803:40: app.EthermintApp.RegisterAPIRoutes calls module.BasicManager.RegisterGRPCGatewayRoutes, which calls crisis.AppModuleBasic.RegisterGRPCGatewayRoutes
      #17: encoding/config.go:44:23: encoding.MakeConfig calls module.BasicManager.RegisterInterfaces, which calls crisis.AppModuleBasic.RegisterInterfaces
      #18: encoding/config.go:42:29: encoding.MakeConfig calls module.BasicManager.RegisterLegacyAminoCodec, which calls crisis.AppModuleBasic.RegisterLegacyAminoCodec
      #19: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls crisis.AppModuleBasic.ValidateGenesis
      #20: app/app.go:494:22: app.NewEthermintApp calls crisis.NewAppModule

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no
call stacks leading to the use of this vulnerability. There are also 4
vulnerabilities in modules that you require that are neither imported
nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.5.0
    Fixed in: golang.org/x/crypto@v0.17.0

Vulnerability #2: GO-2023-2102
    HTTP/2 rapid reset can cause excessive work in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2102
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.9.0
    Fixed in: golang.org/x/net@v0.17.0

Vulnerability #3: GO-2023-2046
    Unbounded memory consumption in github.com/ethereum/go-ethereum
  More info: https://pkg.go.dev/vuln/GO-2023-2046
  Module: github.com/ethereum/go-ethereum
    Found in: github.com/ethereum/go-ethereum@v1.10.26
    Fixed in: github.com/ethereum/go-ethereum@v1.12.1

Vulnerability #4: GO-2023-1988
    Improper rendering of text nodes in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2023-1988
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.9.0
    Fixed in: golang.org/x/net@v0.13.0

Vulnerability #5: GO-2022-0646
    Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go
  More info: https://pkg.go.dev/vuln/GO-2022-0646
  Module: github.com/aws/aws-sdk-go
    Found in: github.com/aws/aws-sdk-go@v1.44.122
    Fixed in: N/A

Your code is affected by 8 vulnerabilities from 4 modules and the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback.
make: *** [vulncheck] Error 3