Closed MSA0208 closed 1 week ago
srikanthccv
commented
1 week ago None of these dependencies are used in the client/server packages provided. Did you mean the project is using them in the examples? Also, you listed a bunch of CVEs that I have no relevance here like this one github.com/hashicorp/vault/sdk.
MSA0208
commented
1 week ago Hi @srikanthccv ,
Yeah it is from the examples from the opamp-go. anyway we have resolved it by upgrading to the Nonvulnarable and latest version available\\\
srikanthccv
commented
1 week ago Closing this because the library itself doesn't have any vuln dependencies. The mentioned package is part of the example and will create a separate issue to address the dips.
Hi @everyone,
Am using the opamp-go module latest version in my project for the dynamic configuration of the otel collector platform. have enabled the security scan of debricked and fortify scan for all the dependencies being used here and found few of the vulnarabilities related to the koanf package being used , below is the list
CWE-20 CWE-20 Improper Input Validation: CVE-2014-9653 github.com/knadh/koanf/providers/file:1.1.0 CWE-787 CWE-787 Out-of-bounds Write: CVE-2019-18218 github.com/knadh/koanf/providers/file:1.1.0 CWE-770 CWE-770 Allocation of Resources Without Limits or Throttling: CVE-2023-6337 github.com/hashicorp/vault/sdk:0.1.13 CWE-532 CWE-532 Insertion of Sensitive Information into Log File: CVE-2020-13223 github.com/hashicorp/vault/sdk:0.1.13 CWE-863 CWE-863 Incorrect Authorization: CVE-2023-24999 github.com/hashicorp/vault/sdk:0.1.13 CWE-532 CWE-532 Insertion of Sensitive Information into Log File: CVE-2018-19786 github.com/hashicorp/vault/sdk:0.1.13 CWE-613 CWE-613 Insufficient Session Expiration: CVE-2021-32923 github.com/hashicorp/vault/api:1.0.4 CWE-770 CWE-770 Allocation of Resources Without Limits or Throttling: CVE-2023-6337 github.com/hashicorp/vault/api:1.0.4 CWE-732 CWE-732 Incorrect Permission Assignment for Critical Resource: CVE-2023-5077 github.com/hashicorp/vault/api:1.0.4 CWE-295 CWE-295 Improper Certificate Validation: CVE-2021-27400 github.com/hashicorp/vault/api:1.0.4 CWE-404 CWE-404 Improper Resource Shutdown or Release: CVE-2020-7220 github.com/hashicorp/vault/api:1.0.4 CWE-532 CWE-532 Insertion of Sensitive Information into Log File: CVE-2020-13223 github.com/hashicorp/vault/api:1.0.4 CWE-863 CWE-863 Incorrect Authorization: CVE-2023-24999 github.com/hashicorp/vault/api:1.0.4 CWE-287 CWE-287 Improper Authentication: CVE-2020-16251 github.com/hashicorp/vault/api:1.0.4 CWE-345 CWE-345 Insufficient Verification of Data Authenticity CWE-290 Authentication Bypass by Spoofing: CVE-2020-16250 github.com/hashicorp/vault/api:1.0.4 CWE-532 Insecure Deployment: Unpatched Application: CVE-2018-19786 sdk@v0.1.13 CWE-327 Insecure Deployment: Unpatched Application: CVE-2022-27191 crypto@v0.0.0-20190308221718-c2843e01d9a2 CWE-347 Insecure Deployment: Unpatched Application: CVE-2020-9283 crypto@v0.0.0-20190308221718-c2843e01d9a2 CWE-476 Insecure Deployment: Unpatched Application: CVE-2020-29652 crypto@v0.0.0-20190308221718-c2843e01d9a2 CWE Not Specified Insecure Deployment: Unpatched Application: CVE-2022-30636 crypto@v0.0.0-20190308221718-c2843e01d9a2 CWE Not Specified Insecure Deployment: Unpatched Application: CVE-2021-43565 crypto@v0.0.0-20190308221718-c2843e01d9a2 CWE-295 Insecure Deployment: Unpatched Application: CVE-2020-7919 crypto@v0.0.0-20190308221718-c2843e01d9a2
i could see that the latest version of opamp is also using the same versions of the libraries.
Can anyone help me out how to mitigate these issues, because i read that all the security scans are taken care as part of the otel repositeries?