Closed mrdeep1 closed 1 year ago
@mrdeep1
Thank you for taking care of this update!
Just wanted to inform you that we have been experimenting with the SBOM related tool to assist in monitoring the application against known security vulnerabilities. At this moment, if we run the tool against coap examples then it reports following vulnerabilities from coap component:
Following vulnerabilities were found. Further analysis may be required for confirmation.
CVEID: CVE-2023-35862
CPE: cpe:2.3:a:libcoap:libcoap:4.3.1:*:*:*:*:*:*:*
DETAIL: https://nvd.nist.gov/vuln/detail/CVE-2023-35862
PACKAGE: submodule-./libcoap
SPDXID: SPDXRef-SUBMODULE-coap-libcoap
libcoap 4.3.1 contains a buffer over-read via the function
coap_parse_oscore_conf_mem at coap_oscore.c.
CVEID: CVE-2023-30362
CPE: cpe:2.3:a:libcoap:libcoap:4.3.1:*:*:*:*:*:*:*
DETAIL: https://nvd.nist.gov/vuln/detail/CVE-2023-30362
PACKAGE: submodule-./libcoap
SPDXID: SPDXRef-SUBMODULE-coap-libcoap
Buffer Overflow vulnerability in coap_send function in libcoap library
4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 allows attackers to
obtain sensitive information via malformed pdu.
As I see that corresponding fixes have been merged upstream and hence with this PR, we should have clean run for the coap examples against any known security issues. Just FYI. Thanks.
I have done some static code analysis. Here are the results:
These look good. A large part will be down the removal of code for the higher level logging.
Code changes pushed. Updated examples to easily support CoAP over WebSockets if WebSockets is enabled.
Minor comments, otherwise LGTM!
Minor comments, otherwise LGTM!
Thanks for all your help in checking this through.
Checklist
url
field definedChange description
Update libcoap to the latest version.
Code now builds if IPv4 or IPv6 is not available.