Version of go used has an active CVE - CVE-2023-39323

[jonthomp]

Hi,

There is a recent (5th Oct 2023) CVE for all versions of go prior to 1.21.2 https://www.cve.org/CVERecord?id=CVE-2023-39323

It should be fixed in 1.20.9 (https://github.com/golang/go/issues/63213); please can you rebuild and release a new version, as it's currently being blocked by vulnerability scanners?

[evanw]

That link says this:

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build".

This looks like a vulnerability in the Go compiler itself, not in software compiled with the Go compiler, and only seems relevant when someone is building untrusted Go code using cgo, neither of which is the case when building esbuild. Please explain how this security vulnerability is relevant to esbuild, as running esbuild doesn’t invoke the Go compiler in the first place.

I am currently using Go 1.20 instead of Go 1.21 because Go 1.21 drops support for platforms I care about. I am not going to break esbuild for people just to silence irrelevant security alerts. There’s also a FAQ entry about this: https://esbuild.github.io/faq/#old-go-version.

[jonthomp]

Sorry @evanw, I should have been clearer, there isn't any need to move to 1.21, they've backported the fix to 1.20, too https://github.com/golang/go/issues/63213.

The vulnerability scanner is flagging /app/node_modules/@esbuild/linux-x64/bin/esbuild. Given what you have explained, I presume the only reason it is relevant to esbuild is simply that you've used a flagged version; annoyingly it doesn't care that it's only relevant when building and using cgo.

[evanw]

Ah, I see. I can probably upgrade esbuild to Go go1.20.10 without issue, as this shouldn't change support for older platforms.

What vulnerability scanner are you using? This seems like a bug in the vulnerability scanner, which ideally would be reported.

[baileyg2016]

My team is impacted by this. Was wondering when there would be a version update?

I see the commit made for it. Thank you.

[evanw]

@baileyg2016 please describe which vulnerability scanner you’re using that has this bug. This is a problem with your vulnerability scanner, not with esbuild. The issue you’re concerned about is completely irrelevant to esbuild.

[baileyg2016]

The Google Web Security Scanner inside of GCP

[evanw]

Ah ok, thanks. Unfortunately that is locked behind a paywall so I am unable to reproduce this issue or file an invalid scan report with Google.

In any case, I'm closing this issue because it's irrelevant. People encountering this warning from their dependency scanners should ignore the false positive. If anyone who is getting is able to report a false positive with Google that would be appreciated so this dependency scanner can stop wasting everyone's time.

[lukemaslany-next]

This CVE is also detected in esbuild by Palo Alto's Prisma Twistlock. I'll get a case raised asking them to review it as a false positive.

I appreciate your time in looking at this.

[abhillman]

FWIW, this is fixed by @evanw in https://github.com/evanw/esbuild/commit/cd91337d87e4f53e388a5a66d24e791957165b24, as that commit bumps golang from 1.20.7 to 1.20.10; with golang 1.20.10 having a fix for CVE-2023-39323 (source: https://go.dev/doc/devel/release#go1.21.0).