Open oxf71 opened 8 months ago
@oxf71 disable it first
@oxf71 disable it first
ok
➜ b2-node git:(main) git rev-parse --short=7 HEAD
7e42338
➜ b2-node git:(main) make vulncheck
Makefile:81: RocksDB support is disabled; to build and test with RocksDB support, set ENABLE_ROCKSDB=true
fatal: No names found, cannot describe anything.
GOBIN=/Volumes/dev/work/blockchain/b2network/b2-node/build go install golang.org/x/vuln/cmd/govulncheck@latest
/Volumes/dev/work/blockchain/b2network/b2-node/build/govulncheck ./...
Scanning your code and 1129 packages across 159 dependent modules for known vulnerabilities...
Vulnerability #1: GO-2023-2409
Denial of service when decrypting attack controlled input in
github.com/dvsekhvalnov/jose2go
More info: https://pkg.go.dev/vuln/GO-2023-2409
Module: github.com/dvsekhvalnov/jose2go
Found in: github.com/dvsekhvalnov/jose2go@v1.5.0
Fixed in: github.com/dvsekhvalnov/jose2go@v1.5.1-0.20231206184617-48ba0b76bc88
Example traces found:
#1: rpc/backend/node_info.go:211:47: backend.Backend.ImportRawKey calls keyring.keystore.KeyByAddress, which eventually calls jose2go.Decode
#2: client/keys/add.go:102:18: keys.RunAddCmd calls keyring.keystore.Key, which eventually calls jose2go.Encrypt
Vulnerability #2: GO-2023-2382
Denial of service via chunk extensions in net/http
More info: https://pkg.go.dev/vuln/GO-2023-2382
Standard library
Found in: net/http/internal@go1.21.4
Fixed in: net/http/internal@go1.21.5
Example traces found:
#1: rpc/websockets.go:331:25: rpc.websocketsServer.tcpGetAndSendResponse calls io.ReadAll, which eventually calls internal.chunkedReader.Read
Vulnerability #3: GO-2023-2185
Insecure parsing of Windows paths with a \??\ prefix in path/filepath
More info: https://pkg.go.dev/vuln/GO-2023-2185
Standard library
Found in: path/filepath@go1.21.4
Fixed in: path/filepath@go1.21.5
Platforms: windows
Example traces found:
#1: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.Abs
#2: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.Abs
#3: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.Base
#4: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.Base
#5: rpc/namespaces/ethereum/debug/utils.go:51:23: debug.ExpandHome calls filepath.Clean
#6: rpc/namespaces/ethereum/debug/utils.go:51:23: debug.ExpandHome calls filepath.Clean
#7: testutil/network/network.go:382:62: network.New calls genutil.InitializeNodeValidatorFiles, which eventually calls filepath.Dir
#8: testutil/network/network.go:382:62: network.New calls genutil.InitializeNodeValidatorFiles, which eventually calls filepath.Dir
#9: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.EvalSymlinks
#10: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls filepath.EvalSymlinks
#11: testutil/network/network.go:642:15: network.Network.Cleanup calls grpc.Server.Stop, which eventually calls filepath.Glob
#12: testutil/network/network.go:642:15: network.Network.Cleanup calls grpc.Server.Stop, which eventually calls filepath.Glob
#13: app/app.go:834:25: app.RegisterSwaggerAPI calls fs.New, which eventually calls filepath.IsLocal
#14: app/app.go:834:25: app.RegisterSwaggerAPI calls fs.New, which eventually calls filepath.IsLocal
#15: server/start.go:654:26: server.OpenIndexerDB calls filepath.Join
#16: server/start.go:654:26: server.OpenIndexerDB calls filepath.Join
#17: rpc/namespaces/ethereum/eth/api.go:495:16: eth.PublicAPI.GetPendingTransactions calls server.ZeroLogWrapper.Debug, which eventually calls filepath.Rel
#18: rpc/namespaces/ethereum/eth/api.go:495:16: eth.PublicAPI.GetPendingTransactions calls server.ZeroLogWrapper.Debug, which eventually calls filepath.Rel
#19: testutil/network/util.go:185:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls filepath.Split
#20: testutil/network/util.go:185:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls filepath.Split
#21: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.VolumeName
#22: client/keys/add.go:114:20: keys.RunAddCmd calls keyring.keystore.Delete, which eventually calls filepath.VolumeName
#23: rpc/backend/node_info.go:234:39: backend.Backend.ListAccounts calls keyring.keystore.List, which eventually calls filepath.Walk
#24: rpc/backend/node_info.go:234:39: backend.Backend.ListAccounts calls keyring.keystore.List, which eventually calls filepath.Walk
Vulnerability #4: GO-2023-2153
Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc
More info: https://pkg.go.dev/vuln/GO-2023-2153
Module: google.golang.org/grpc
Found in: google.golang.org/grpc@v1.54.0
Fixed in: google.golang.org/grpc@v1.56.3
Example traces found:
#1: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which calls grpc.NewServer
#2: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls transport.NewServerTransport
#3: testutil/network/util.go:126:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls grpc.Server.Serve
Vulnerability #5: GO-2023-1881
The x/crisis package does not charge ConstantFee in
github.com/cosmos/cosmos-sdk
More info: https://pkg.go.dev/vuln/GO-2023-1881
Module: github.com/cosmos/cosmos-sdk
Found in: github.com/cosmos/cosmos-sdk@v0.46.11
Fixed in: N/A
Example traces found:
#1: cmd/ethermintd/root.go:155:27: ethermintd.addModuleInitFlags calls crisis.AddModuleInitFlags
#2: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.ConsensusVersion
#3: app/app.go:702:24: app.EthermintApp.EndBlocker calls module.Manager.EndBlock, which calls crisis.AppModule.EndBlock
#4: app/export.go:59:34: app.EthermintApp.ExportAppStateAndValidators calls module.Manager.ExportGenesis, which calls crisis.AppModule.ExportGenesis
#5: app/app.go:712:27: app.EthermintApp.InitChainer calls module.Manager.InitGenesis, which calls crisis.AppModule.InitGenesis
#6: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.LegacyQuerierHandler
#7: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.Name
#8: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.QuerierRoute
#9: app/app.go:606:27: app.NewEthermintApp calls module.Manager.RegisterInvariants, which calls crisis.AppModule.RegisterInvariants
#10: app/app.go:609:25: app.NewEthermintApp calls module.Manager.RegisterServices, which calls crisis.AppModule.RegisterServices
#11: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.Route
#12: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.DefaultGenesis
#13: cmd/ethermintd/root.go:176:35: ethermintd.queryCommand calls module.BasicManager.AddQueryCommands, which calls crisis.AppModuleBasic.GetQueryCmd
#14: cmd/ethermintd/root.go:203:32: ethermintd.txCommand calls module.BasicManager.AddTxCommands, which calls crisis.AppModuleBasic.GetTxCmd
#15: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.Name
#16: app/app.go:803:40: app.EthermintApp.RegisterAPIRoutes calls module.BasicManager.RegisterGRPCGatewayRoutes, which calls crisis.AppModuleBasic.RegisterGRPCGatewayRoutes
#17: encoding/config.go:44:23: encoding.MakeConfig calls module.BasicManager.RegisterInterfaces, which calls crisis.AppModuleBasic.RegisterInterfaces
#18: encoding/config.go:42:29: encoding.MakeConfig calls module.BasicManager.RegisterLegacyAminoCodec, which calls crisis.AppModuleBasic.RegisterLegacyAminoCodec
#19: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls crisis.AppModuleBasic.ValidateGenesis
#20: app/app.go:494:22: app.NewEthermintApp calls crisis.NewAppModule
Vulnerability #6: GO-2023-1861
Cosmos "Barberry" vulnerability in github.com/cosmos/cosmos-sdk
More info: https://pkg.go.dev/vuln/GO-2023-1861
Module: github.com/cosmos/cosmos-sdk
Found in: github.com/cosmos/cosmos-sdk@v0.46.11
Fixed in: github.com/cosmos/cosmos-sdk@v0.46.13
Example traces found:
#1: testutil/network/util.go:185:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls types.MsgCreatePeriodicVestingAccount.ValidateBasic
Vulnerability #7: GO-2023-1860
IBC protocol "Huckleberry" vulnerability in github.com/cosmos/ibc-go
More info: https://pkg.go.dev/vuln/GO-2023-1860
Module: github.com/cosmos/ibc-go/v6
Found in: github.com/cosmos/ibc-go/v6@v6.1.0
Fixed in: github.com/cosmos/ibc-go/v6@v6.1.1
Example traces found:
#1: app/ante/eth.go:376:13: ante.EthIncrementSenderSequenceDecorator.AnteHandle calls types.ChainAnteDecorators, which eventually calls keeper.Keeper.RecvPacket
#2: x/evm/types/tx.pb.go:587:19: types.RegisterMsgServer calls baseapp.MsgServiceRouter.RegisterService, which eventually calls keeper.Keeper.UnreceivedPackets
Vulnerability #8: GO-2023-1821
The x/crisis package does not cause chain halt in
github.com/cosmos/cosmos-sdk
More info: https://pkg.go.dev/vuln/GO-2023-1821
Module: github.com/cosmos/cosmos-sdk
Found in: github.com/cosmos/cosmos-sdk@v0.46.11
Fixed in: N/A
Example traces found:
#1: cmd/ethermintd/root.go:155:27: ethermintd.addModuleInitFlags calls crisis.AddModuleInitFlags
#2: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.ConsensusVersion
#3: app/app.go:702:24: app.EthermintApp.EndBlocker calls module.Manager.EndBlock, which calls crisis.AppModule.EndBlock
#4: app/export.go:59:34: app.EthermintApp.ExportAppStateAndValidators calls module.Manager.ExportGenesis, which calls crisis.AppModule.ExportGenesis
#5: app/app.go:712:27: app.EthermintApp.InitChainer calls module.Manager.InitGenesis, which calls crisis.AppModule.InitGenesis
#6: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.LegacyQuerierHandler
#7: app/app.go:711:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.Name
#8: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.QuerierRoute
#9: app/app.go:606:27: app.NewEthermintApp calls module.Manager.RegisterInvariants, which calls crisis.AppModule.RegisterInvariants
#10: app/app.go:609:25: app.NewEthermintApp calls module.Manager.RegisterServices, which calls crisis.AppModule.RegisterServices
#11: app/app.go:607:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.Route
#12: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.DefaultGenesis
#13: cmd/ethermintd/root.go:176:35: ethermintd.queryCommand calls module.BasicManager.AddQueryCommands, which calls crisis.AppModuleBasic.GetQueryCmd
#14: cmd/ethermintd/root.go:203:32: ethermintd.txCommand calls module.BasicManager.AddTxCommands, which calls crisis.AppModuleBasic.GetTxCmd
#15: testutil/network/network.go:138:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.Name
#16: app/app.go:803:40: app.EthermintApp.RegisterAPIRoutes calls module.BasicManager.RegisterGRPCGatewayRoutes, which calls crisis.AppModuleBasic.RegisterGRPCGatewayRoutes
#17: encoding/config.go:44:23: encoding.MakeConfig calls module.BasicManager.RegisterInterfaces, which calls crisis.AppModuleBasic.RegisterInterfaces
#18: encoding/config.go:42:29: encoding.MakeConfig calls module.BasicManager.RegisterLegacyAminoCodec, which calls crisis.AppModuleBasic.RegisterLegacyAminoCodec
#19: cmd/ethermintd/main.go:35:26: ethermintd.main calls cmd.Execute, which eventually calls crisis.AppModuleBasic.ValidateGenesis
#20: app/app.go:494:22: app.NewEthermintApp calls crisis.NewAppModule
=== Informational ===
Found 1 vulnerability in packages that you import, but there are no
call stacks leading to the use of this vulnerability. There are also 4
vulnerabilities in modules that you require that are neither imported
nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
Vulnerability #1: GO-2023-2402
Man-in-the-middle attacker can compromise integrity of secure channel in
golang.org/x/crypto
More info: https://pkg.go.dev/vuln/GO-2023-2402
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.5.0
Fixed in: golang.org/x/crypto@v0.17.0
Vulnerability #2: GO-2023-2102
HTTP/2 rapid reset can cause excessive work in net/http
More info: https://pkg.go.dev/vuln/GO-2023-2102
Module: golang.org/x/net
Found in: golang.org/x/net@v0.9.0
Fixed in: golang.org/x/net@v0.17.0
Vulnerability #3: GO-2023-2046
Unbounded memory consumption in github.com/ethereum/go-ethereum
More info: https://pkg.go.dev/vuln/GO-2023-2046
Module: github.com/ethereum/go-ethereum
Found in: github.com/ethereum/go-ethereum@v1.10.26
Fixed in: github.com/ethereum/go-ethereum@v1.12.1
Vulnerability #4: GO-2023-1988
Improper rendering of text nodes in golang.org/x/net/html
More info: https://pkg.go.dev/vuln/GO-2023-1988
Module: golang.org/x/net
Found in: golang.org/x/net@v0.9.0
Fixed in: golang.org/x/net@v0.13.0
Vulnerability #5: GO-2022-0646
Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go
More info: https://pkg.go.dev/vuln/GO-2022-0646
Module: github.com/aws/aws-sdk-go
Found in: github.com/aws/aws-sdk-go@v1.44.122
Fixed in: N/A
Your code is affected by 8 vulnerabilities from 4 modules and the Go standard library.
Share feedback at https://go.dev/s/govulncheck-feedback.
make: *** [vulncheck] Error 3
Dependency Review actions failed
https://github.com/oxf71/b2-node/actions/runs/6730778725/job/18294194448
How handle vulnerability check results?