Vulnerability findings

[rwjack]

Hey, the latest released version has quite a few vulnerabilities:

    Name: github.com/Azure/azure-sdk-for-go/sdk/azidentity, Version: 1.3.0, Path: /usr/bin/traefik-certs-dumper
        CVE-2024-35255, Severity: MEDIUM, Source: https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
            CVSS score: 5.5, CVSS exploitability score: 3.6
            Fixed version: 1.6.0
    Name: github.com/go-jose/go-jose/v3, Version: 3.0.1, Path: /usr/bin/traefik-certs-dumper
        CVE-2024-28180, Severity: MEDIUM, Source: https://github.com/advisories/GHSA-c5q2-7r4c-mv6g
            Fixed version: 3.0.3
    Name: github.com/hashicorp/go-retryablehttp, Version: 0.7.4, Path: /usr/bin/traefik-certs-dumper
        CVE-2024-6104, Severity: MEDIUM, Source: https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
            CVSS score: 5.5, CVSS exploitability score: 3.6
            Fixed version: 0.7.7
    Name: github.com/traefik/traefik/v2, Version: 2.10.6, Path: /usr/bin/traefik-certs-dumper
        Failed policy: Default vulnerabilities policy
        CVE-2024-45410, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-62c8-mh53-4cqv
            CVSS score: 7.5, CVSS exploitability score: 3.6
            Fixed version: 2.11.9
        CVE-2024-28869, Severity: HIGH, Source: https://github.com/advisories/GHSA-4vwx-54mw-vqfw
            Fixed version: 2.11.2
        CVE-2024-39321, Severity: HIGH, Source: https://github.com/advisories/GHSA-gxrv-wf35-62w9
            Fixed version: 2.11.6
        GHSA-7f4j-64p6-5h5v, Severity: MEDIUM, Source: https://github.com/advisories/GHSA-7f4j-64p6-5h5v
            Fixed version: 2.11.2
        GHSA-7jmw-8259-q9jx, Severity: MEDIUM, Source: https://github.com/advisories/GHSA-7jmw-8259-q9jx
            Fixed version: 2.11.4
        GHSA-f7cq-5v43-8pwp, Severity: MEDIUM, Source: https://github.com/advisories/GHSA-f7cq-5v43-8pwp
            CVSS score: 5.3
            Fixed version: 2.11.3
        GHSA-rvj4-q8q5-8grf, Severity: MEDIUM, Source: https://github.com/advisories/GHSA-rvj4-q8q5-8grf
            CVSS score: 5.5
            Fixed version: 2.11.5
    Name: golang.org/x/crypto, Version: 0.14.0, Path: /usr/bin/traefik-certs-dumper
        CVE-2023-48795, Severity: MEDIUM, Source: https://github.com/advisories/GHSA-45x7-px36-x8w8
            CVSS score: 5.9, CVSS exploitability score: 3.6
            Fixed version: 0.17.0
            Has public exploit
    Name: google.golang.org/protobuf, Version: 1.31.0, Path: /usr/bin/traefik-certs-dumper
        CVE-2024-24786, Severity: MEDIUM, Source: https://github.com/advisories/GHSA-8r3f-844c-mc37
            Fixed version: 1.33.0
...
Vulnerable packages: CRITICAL: 1, HIGH: 0, MEDIUM: 5, LOW: 0, INFORMATIONAL: 0
    Total: 6
Vulnerabilities: CRITICAL: 1, HIGH: 2, MEDIUM: 9, LOW: 0, INFORMATIONAL: 0
    Total: 12, out of which 12 are fixable
Directories scanned: 117, Files scanned: 371

I suppose half of these are fixed in the master version, but there is no docker image of it.

Would you be willing to make a workflow that publishes a master (nightly) image, alongside tagged releases?

[ldez]

Hello,

None of those vulnerabilities impact this tool because this is related to unused dependencies.

[rwjack]

hey @ldez, I'm not familiar with go, but I think I see what you're saying.

On the other hand, Traefik doesn't seem to be an unused "indirect" dependency, and all of the above findings have been fixed in 2.11.9, which is already in master - which brings us to my initial question, can you make a workflow that automatically creates new releases with bumped dependencies?

Even if there are no new features, recreating the image with a fresh base OS image, and updated dependencies in this case, resolves most vulnerabilities over time.

[ldez]

There are no vulnerabilities to resolve because there are no vulnerabilities.

Your tools is just reporting false positives.

[rwjack]

What do you mean there are no vulnerabilities to resolve? My "tool" scanned your latest image and found all the above vulnerabilities:


The image is almost a year old.

You are pushing directly to master on the repo here, but you are not making a new release, hence vulnerabilities exist in the "latest" release.

As for the "master image" workflow, I'm telling you that if you push a new release often, the image will get recreated and most future/potential base OS package vulnerabilities will be taken care of.

[ldez]

You have found nothing.

You just run a vulnerability tool that reports false positives.

traefik-certs-dumper is not impacted by those vulnerabilities.