search

fullstorydev / grpcurl

Like cURL, but for gRPC: Command-line tool for interacting with gRPC servers
MIT License
10.36k stars 497 forks source link

Security Patching - Dependency Updates #357

Open obale opened 1 year ago

obale commented 1 year ago

Before Dependency Updates

Run December 18, 2022 at 8:03sssssssssssssssssssssssssssssssssssssspm EST time

$ trivy image fullstorydev/grpcurl:latest

2022-12-18T20:03:33.335-0500    INFO    Vulnerability scanning is enabled
2022-12-18T20:03:33.335-0500    INFO    Secret scanning is enabled
2022-12-18T20:03:33.335-0500    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-12-18T20:03:33.335-0500    INFO    Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection
2022-12-18T20:03:33.734-0500    INFO    Number of language-specific files: 1
2022-12-18T20:03:33.734-0500    INFO    Detecting gobinary vulnerabilities...

bin/grpcurl (gobinary)

Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 4, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                            Title                             │
├───────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net  │ CVE-2021-33194 │ HIGH     │ v0.0.0-20201021035429-f5854403a974 │ 0.0.0-20210520170846-37e1c6afe023 │ golang: x/net/html: infinite loop in ParseFragment           │
│                   │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-33194                   │
│                   ├────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2021-44716 │          │                                    │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization    │
│                   │                │          │                                    │                                   │ cache                                                        │
│                   │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-44716                   │
│                   ├────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-27664 │          │                                    │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY  │
│                   │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                   │
│                   ├────────────────┼──────────┤                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2021-31525 │ MEDIUM   │                                    │ 0.0.0-20210428140749-89ef3d95e781 │ golang: net/http: panic in ReadRequest and ReadResponse when │
│                   │                │          │                                    │                                   │ reading a very large...                                      │
│                   │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-31525                   │
│                   ├────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-41717 │          │                                    │ 0.4.0                             │ An attacker can cause excessive memory growth in a Go server │
│                   │                │          │                                    │                                   │ accepting...                                                 │
│                   │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-41717                   │
├───────────────────┼────────────────┤          ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys  │ CVE-2022-29526 │          │ v0.0.0-20210119212857-b64e53b001e4 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group                │
│                   │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526                   │
├───────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │ HIGH     │ v0.3.7                             │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage      │
│                   │                │          │                                    │                                   │ takes a long time to parse complex tags                      │
│                   │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                   │
└───────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘

After Dependency Updates

Run December 18, 2022 at 8:21pm EST time against the changes in this pull request.

$ trivy image fullstorydev/grpcurl:0165806                            
2022-12-18T20:21:49.210-0500    INFO    Vulnerability scanning is enabled
2022-12-18T20:21:49.210-0500    INFO    Secret scanning is enabled
2022-12-18T20:21:49.210-0500    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-12-18T20:21:49.210-0500    INFO    Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection
2022-12-18T20:21:49.520-0500    INFO    Number of language-specific files: 1
2022-12-18T20:21:49.520-0500    INFO    Detecting gobinary vulnerabilities...
obale commented 1 year ago

Ready for review by @jameremo, @dragonsinth, @jhump or whoever has the authority to review pull requests for this repository.

dragonsinth commented 3 months ago

Most of this looks reasonable if we can get a clean rebase