search

hashicorp / terraform-provider-time

Utility provider that provides Time-Based Resources
https://registry.terraform.io/providers/hashicorp/time/latest
Mozilla Public License 2.0
103 stars 30 forks source link

Cut a new release of this provider #327

Closed aochsner closed 2 months ago

aochsner commented 2 months ago

Terraform CLI and Provider Versions

1.8.4 & 0.11.1

Use Cases or Problem Statement

https://discuss.hashicorp.com/t/cut-a-new-hashicorp-time-provider-release/67314

Proposal

I'm not sure if this is the right place but also posted in the discussion forums.

How much impact is this issue causing?

High

Additional Information

No response

Code of Conduct

austinvalle commented 2 months ago

Hey there @aochsner 👋🏻 , do you mind sharing the reports or the dependencies related to the CVEs? We can push a new release with no functional changes but want to ensure we're resolving the CVEs you're seeing.

aochsner commented 2 months ago

I can't share directly but it's go-git prior to v5.11 (current release pulls in v5.10.1 via some other dependency). Looks like current version in go.sum is v5.12.0 so I believe that would address it.

https://nvd.nist.gov/vuln/detail/CVE-2023-49569

[image: SCR-20240524-lhrz.png]

On Fri, May 24, 2024 at 12:17 PM Austin Valle @.***> wrote:

Hey there @aochsner https://github.com/aochsner 👋🏻 , do you mind sharing the reports or the dependencies related to the CVEs? We can push a new release with no functional changes but want to ensure we're resolving the CVEs you're seeing.

— Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-time/issues/327#issuecomment-2130025510, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABWL6P6FDZCNKX6AUH5T2LZD5YYXAVCNFSM6AAAAABIH4SNGSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZQGAZDKNJRGA . You are receiving this because you were mentioned.Message ID: @.***>

aochsner commented 2 months ago

SCR-20240524-lhrz

bflad commented 2 months ago

Hi @aochsner 👋 (and other future readers),

Thanks for that additional context. I'm not on the HashiCorp security team, but I wanted to give some additional information about this particular scanner report. For official security disclosures/responses from the security team, please refer to https://www.hashicorp.com/trust/security.

The github.com/go-git/go-git/v5 dependency in this provider codebase is not in the "production" provider server codepath, but is pulled in due some underlying capabilities of the provider testing library so that it can potentially build Terraform from a specific Git reference when a specific environment variable is passed while running the provider testing.

$ ❯ go mod why -m 'github.com/go-git/go-git/v5'
# github.com/go-git/go-git/v5
github.com/hashicorp/terraform-provider-time/internal/provider
github.com/hashicorp/terraform-provider-time/internal/provider.test
github.com/hashicorp/terraform-plugin-testing/helper/resource
github.com/hashicorp/terraform-exec/tfexec
github.com/hashicorp/terraform-exec/tfexec.test
github.com/hashicorp/terraform-exec/tfexec/internal/testutil
github.com/hashicorp/hc-install/build
github.com/go-git/go-git/v5

Unfortunately a lot of security scanners cannot have code-level context on why or how a dependency is being used or not, but the reality is that many compliance officers need to rely these reports as given. So for anyone who may see references to this dependency or CVE number in relation to this provider codebase (and potentially others in the provider ecosystem), I just wanted to help alleviate any sort of urgency to upgrade. I have created https://github.com/hashicorp/terraform-plugin-testing/issues/347 in the provider testing Go module to consider removing the functionality that causes this dependency to appear in provider codebases to reduce security scanning reports like these.

As @austinvalle mentioned though, we can/will cut a fresh provider release to help remove this particular scanner report for now. 👍

aochsner commented 2 months ago

Hi @bflad!

Thanks for that explanation; it makes a lot of sense. This would probably be enough justification for an exception TBH, but sounds like a new release will also happen which will probably be easier to get through than the exception route. But if anything new pops up I will look to y'all for that sort of context if needed.

Appreciate the quick responses! Thanks!

austinvalle commented 2 months ago

v0.11.2 has been released with the latest Go module updates and should show up in the registry soon 👍🏻