drone failure on pipeline `go-vulnerability-scanning`

[nabim777]

Description

Drone is failing on pipeline go-vulnerability-scanning CI builds: https://drone.owncloud.com/owncloud/ocis/33398/8/5

Found 1 vulnerability

Vulnerability #1: GO-2024-2631
    Decompression bomb vulnerability in github.com/go-jose/go-jose
  More info: https://pkg.go.dev/vuln/GO-2024-2631
  Module: gopkg.in/square/go-jose.v2
    Found in: gopkg.in/square/go-jose.v2@v2.6.0
    Fixed in: N/A

+ make govulncheck
(re)installing /go/bin/govulncheck-v1.0.1
go: downloading golang.org/x/vuln v1.0.1
go: downloading golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846
go: downloading golang.org/x/sync v0.3.0
go: downloading golang.org/x/sys v0.11.0
/go/bin/govulncheck-v1.0.1 ./...
Scanning your code and 1701 packages across 320 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: services/idp/pkg/service/v0/service.go:117:27: service.NewService calls bootstrap.Boot, which eventually calls http2.ConfigureTransport
      #2: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http2.ConnectionError.Error
      #3: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http2.ErrCode.String
      #4: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http2.FrameHeader.String
      #5: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http2.FrameType.String
      #6: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http2.FrameWriteRequest.String
      #7: services/antivirus/pkg/command/server.go:81:17: command.Server calls run.Group.Run, which eventually calls http2.Framer.ReadFrame
      #8: ocis-pkg/tracing/tracing.go:106:32: tracing.GetTraceProvider calls grpc.DialContext, which eventually calls http2.Framer.WriteContinuation
      #9: ocis-pkg/tracing/tracing.go:106:32: tracing.GetTraceProvider calls grpc.DialContext, which eventually calls http2.Framer.WriteData
      #10: ocis-pkg/tracing/tracing.go:106:32: tracing.GetTraceProvider calls grpc.DialContext, which eventually calls http2.Framer.WriteGoAway
      #11: ocis-pkg/tracing/tracing.go:106:32: tracing.GetTraceProvider calls grpc.DialContext, which eventually calls http2.Framer.WriteHeaders
      #12: ocis-pkg/tracing/tracing.go:106:32: tracing.GetTraceProvider calls grpc.DialContext, which eventually calls http2.Framer.WritePing
      #13: ocis-pkg/tracing/tracing.go:106:32: tracing.GetTraceProvider calls grpc.DialContext, which eventually calls http2.Framer.WriteRSTStream
      #14: ocis-pkg/tracing/tracing.go:106:32: tracing.GetTraceProvider calls grpc.DialContext, which eventually calls http2.Framer.WriteSettings
      #15: ocis-pkg/tracing/tracing.go:106:32: tracing.GetTraceProvider calls grpc.DialContext, which eventually calls http2.Framer.WriteSettingsAck
      #16: ocis-pkg/tracing/tracing.go:106:32: tracing.GetTraceProvider calls grpc.DialContext, which eventually calls http2.Framer.WriteWindowUpdate
      #17: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http2.GoAwayError.Error
      #18: services/proxy/pkg/middleware/account_resolver.go:89:19: middleware.accountResolver.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls http2.Server.ServeConn
      #19: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http2.Setting.String
      #20: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http2.SettingID.String
      #21: services/antivirus/pkg/command/server.go:81:17: command.Server calls run.Group.Run, which eventually calls http2.SettingsFrame.ForeachSetting
      #22: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http2.StreamError.Error
      #23: services/ocs/pkg/service/v0/response/response.go:40:26: response.Response.MarshalXML calls xml.Encoder.EncodeElement, which eventually calls http2.chunkWriter.Write
      #24: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http2.connError.Error
      #25: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http2.duplicatePseudoHeaderError.Error
      #26: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http2.gzipReader.Close
      #27: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http2.gzipReader.Read
      #28: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http2.headerFieldNameError.Error
      #29: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http2.headerFieldValueError.Error
      #30: services/proxy/pkg/proxy/proxy.go:78:26: proxy.MultiHostReverseProxy.ServeHTTP calls httputil.ReverseProxy.ServeHTTP, which eventually calls http2.noDialH2RoundTripper.RoundTrip
      #31: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http2.pseudoHeaderError.Error
      #32: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http2.requestBody.Close
      #33: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http2.requestBody.Read
      #34: services/sse/pkg/service/service.go:89:17: service.SSE.HandleSSE calls sse.Server.ServeHTTP, which calls http2.responseWriter.Flush
      #35: services/proxy/pkg/proxy/proxy.go:78:26: proxy.MultiHostReverseProxy.ServeHTTP calls httputil.ReverseProxy.ServeHTTP, which eventually calls http2.responseWriter.FlushError
      #36: services/web/pkg/service/v0/service.go:136:22: service.Web.Config calls http2.responseWriter.Write
      #37: services/graph/pkg/service/v0/drives.go:1171:16: service.Graph.DeleteDrive calls http2.responseWriter.WriteHeader
      #38: ocis-pkg/handlers/debughandlers.go:29:26: handlers.Ready calls io.WriteString, which calls http2.responseWriter.WriteString
      #39: services/ocs/pkg/service/v0/response/response.go:40:26: response.Response.MarshalXML calls xml.Encoder.EncodeElement, which eventually calls http2.stickyErrWriter.Write
      #40: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http2.transportResponseBody.Close
      #41: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http2.transportResponseBody.Read
      #42: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http2.writeData.String

  Standard library
    Found in: net/http@go1.22.1
    Fixed in: net/http@go1.22.2
    Example traces found:
      #1: services/webfinger/pkg/server/http/server.go:10:2: http.init calls middleware.init, which calls http.CanonicalHeaderKey
      #2: ocis-pkg/oidc/client.go:238:30: oidc.oidcClient.UserInfo calls http.Client.Do
      #3: ocis-pkg/oidc/metadata.go:101:25: oidc.GetIDPMetadata calls http.Client.Get
      #4: ocis-pkg/keycloak/client.go:90:39: keycloak.ConcreteClient.SendActionsMail calls gocloak.GoCloak.ExecuteActionsEmail, which eventually calls http.Cookie.String
      #5: protogen/gen/ocis/services/settings/v0/settings.pb.web.go:487:13: settings.webPermissionServiceHandler.GetPermissionByID calls http.Error
      #6: services/search/pkg/command/health.go:25:25: command.Health calls http.Get
      #7: services/proxy/pkg/middleware/account_resolver.go:89:19: middleware.accountResolver.ServeHTTP calls http.HandlerFunc.ServeHTTP
      #8: services/proxy/pkg/middleware/public_share_auth.go:114:14: middleware.PublicShareAuthenticator.Authenticate calls http.Header.Add
      #9: services/web/pkg/assets/server.go:61:17: assets.fileServer.ServeHTTP calls http.Header.Del
      #10: services/graph/pkg/service/v0/drives.go:502:49: service.Graph.UpdateDrive calls http.Header.Get
      #11: services/web/pkg/service/v0/service.go:134:16: service.Web.Config calls http.Header.Set
      #12: services/idp/pkg/backends/cs3/identifier/cs3.go:174:45: identifier.CS3Backend.ResolveUserByUsername calls pool.GetGatewayServiceClient, which eventually calls http.Header.Write
      #13: ocis-pkg/oidc/client.go:227:29: oidc.oidcClient.UserInfo calls http.NewRequest
      #14: services/search/pkg/content/tika.go:78:36: content.Tika.Extract calls tika.Client.MetaRecursive, which eventually calls http.NewRequestWithContext
      #15: services/web/pkg/assets/server.go:34:17: assets.ServeHTTP calls http.NotFound
      #16: services/idp/pkg/service/v0/service.go:117:27: service.NewService calls bootstrap.Boot, which eventually calls http.ParseTime
      #17: protogen/gen/ocis/services/store/v0/store.pb.micro.go:93:27: store.storeService.List calls client.rpcClient.Stream, which eventually calls http.ProxyFromEnvironment
      #18: services/antivirus/pkg/scanners/icap.go:59:28: scanners.ICAP.Scan calls icap.Client.Do, which eventually calls http.ReadRequest
      #19: services/antivirus/pkg/scanners/icap.go:59:28: scanners.ICAP.Scan calls icap.Client.Do, which eventually calls http.ReadResponse
      #20: ocis-pkg/keycloak/client.go:90:39: keycloak.ConcreteClient.SendActionsMail calls gocloak.GoCloak.ExecuteActionsEmail, which eventually calls http.Request.AddCookie
      #21: services/proxy/pkg/middleware/public_share_auth.go:79:33: middleware.PublicShareAuthenticator.Authenticate calls http.Request.BasicAuth
      #22: services/web/pkg/service/v0/branding.go:54:37: service.Web.UploadLogo calls http.Request.FormFile
      #23: ocis-pkg/registry/register.go:20:29: registry.RegisterService calls consul.consulRegistry.Register, which eventually calls http.Request.SetBasicAuth
      #24: services/idp/pkg/service/v0/service.go:309:19: service.IDP.ServeHTTP calls chi.Mux.ServeHTTP, which eventually calls http.Request.UserAgent
      #25: protogen/gen/ocis/services/store/v0/store.pb.micro.go:121:23: store.storeServiceList.Close calls client.rpcStream.Close, which eventually calls http.Request.Write
      #26: ocis/pkg/command/benchmark.go:242:35: command.client calls http.Response.Cookies
      #27: services/proxy/pkg/proxy/proxy.go:78:26: proxy.MultiHostReverseProxy.ServeHTTP calls httputil.ReverseProxy.ServeHTTP, which eventually calls http.Response.Write
      #28: services/proxy/pkg/proxy/proxy.go:78:26: proxy.MultiHostReverseProxy.ServeHTTP calls httputil.ReverseProxy.ServeHTTP, which calls http.ResponseController.Flush
      #29: services/proxy/pkg/proxy/proxy.go:78:26: proxy.MultiHostReverseProxy.ServeHTTP calls httputil.ReverseProxy.ServeHTTP, which eventually calls http.ResponseController.Hijack
      #30: ocis/pkg/runtime/service/service.go:429:19: service.Start calls http.Serve
      #31: services/proxy/pkg/middleware/account_resolver.go:89:19: middleware.accountResolver.ServeHTTP calls http.ServeMux.ServeHTTP
      #32: services/nats/pkg/server/nats/nats.go:48:19: nats.NATSServer.Shutdown calls server.Server.Shutdown, which calls http.Server.Close
      #33: services/antivirus/pkg/command/server.go:81:17: command.Server calls run.Group.Run, which eventually calls http.Server.ListenAndServe
      #34: services/nats/pkg/server/nats/nats.go:42:2: nats.NATSServer.ListenAndServe calls server.Server.Start, which eventually calls http.Server.Serve
      #35: services/app-registry/pkg/command/server.go:49:27: command.Server calls runtime.RunWithOptions, which eventually calls http.Server.ServeTLS
      #36: services/nats/pkg/command/server.go:59:25: command.Server calls http.Server.Shutdown
      #37: services/proxy/pkg/middleware/selector_cookie.go:65:17: middleware.selectorCookie.ServeHTTP calls http.SetCookie
      #38: services/antivirus/pkg/service/service.go:55:77: service.NewAntivirus calls rhttp.GetHTTPClient, which calls http.Transport.Clone
      #39: services/nats/pkg/server/nats/nats.go:27:34: nats.NewNATSServer calls server.NewServer, which eventually calls http.Transport.CloseIdleConnections
      #40: services/proxy/pkg/proxy/proxy.go:78:26: proxy.MultiHostReverseProxy.ServeHTTP calls httputil.ReverseProxy.ServeHTTP, which calls http.Transport.RoundTrip
      #41: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http.body.Close
      #42: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.body.Read
      #43: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http.bodyEOFSignal.Close
      #44: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.bodyEOFSignal.Read
      #45: services/web/pkg/assets/server.go:65:22: assets.fileServer.ServeHTTP calls bytes.Buffer.ReadFrom, which calls http.bodyLocked.Read
      #46: ocis-pkg/handlers/debughandlers.go:29:26: handlers.Ready calls io.WriteString, which calls http.bufioFlushWriter.Write
      #47: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http.cancelTimerBody.Close
      #48: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.cancelTimerBody.Read
      #49: services/ocs/pkg/service/v0/response/response.go:40:26: response.Response.MarshalXML calls xml.Encoder.EncodeElement, which eventually calls http.checkConnErrorWriter.Write
      #50: services/ocs/pkg/service/v0/response/response.go:40:26: response.Response.MarshalXML calls xml.Encoder.EncodeElement, which eventually calls http.chunkWriter.Write
      #51: services/web/pkg/assets/server.go:65:22: assets.fileServer.ServeHTTP calls bytes.Buffer.ReadFrom, which calls http.connReader.Read
      #52: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http.expectContinueReader.Close
      #53: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.expectContinueReader.Read
      #54: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http.gzipReader.Close
      #55: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.gzipReader.Read
      #56: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http.http2ConnectionError.Error
      #57: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http.http2ErrCode.String
      #58: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http.http2FrameHeader.String
      #59: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http.http2FrameType.String
      #60: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http.http2FrameWriteRequest.String
      #61: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http.http2GoAwayError.Error
      #62: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http.http2Setting.String
      #63: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http.http2SettingID.String
      #64: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http.http2StreamError.Error
      #65: services/ocs/pkg/service/v0/response/response.go:40:26: response.Response.MarshalXML calls xml.Encoder.EncodeElement, which eventually calls http.http2chunkWriter.Write
      #66: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http.http2connError.Error
      #67: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http.http2duplicatePseudoHeaderError.Error
      #68: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http.http2gzipReader.Close
      #69: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.http2gzipReader.Read
      #70: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http.http2headerFieldNameError.Error
      #71: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http.http2headerFieldValueError.Error
      #72: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http.http2pseudoHeaderError.Error
      #73: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http.http2requestBody.Close
      #74: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.http2requestBody.Read
      #75: services/sse/pkg/service/service.go:89:17: service.SSE.HandleSSE calls sse.Server.ServeHTTP, which calls http.http2responseWriter.Flush
      #76: services/web/pkg/service/v0/service.go:136:22: service.Web.Config calls http.http2responseWriter.Write
      #77: services/graph/pkg/service/v0/drives.go:1171:16: service.Graph.DeleteDrive calls http.http2responseWriter.WriteHeader
      #78: ocis-pkg/handlers/debughandlers.go:29:26: handlers.Ready calls io.WriteString, which calls http.http2responseWriter.WriteString
      #79: services/ocs/pkg/service/v0/response/response.go:40:26: response.Response.MarshalXML calls xml.Encoder.EncodeElement, which eventually calls http.http2stickyErrWriter.Write
      #80: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http.http2transportResponseBody.Close
      #81: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.http2transportResponseBody.Read
      #82: ocis/cmd/ocis/main.go:12:15: ocis.main calls fmt.Fprintln, which eventually calls http.http2writeData.String
      #83: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls tls.Conn.Close, which calls http.loggingConn.Close
      #84: services/web/pkg/assets/server.go:65:22: assets.fileServer.ServeHTTP calls bytes.Buffer.ReadFrom, which calls http.loggingConn.Read
      #85: ocis-pkg/handlers/debughandlers.go:29:26: handlers.Ready calls io.WriteString, which calls http.loggingConn.Write
      #86: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http.maxBytesReader.Close
      #87: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.maxBytesReader.Read
      #88: ocis-pkg/registry/registry.go:55:10: registry.GetRegistry calls sync.Once.Do, which eventually calls http.onceCloseListener.Close
      #89: services/web/pkg/assets/server.go:65:22: assets.fileServer.ServeHTTP calls bytes.Buffer.ReadFrom, which calls http.persistConn.Read
      #90: services/antivirus/pkg/service/service.go:100:23: service.Antivirus.Run calls io.Copy, which eventually calls http.persistConnWriter.ReadFrom
      #91: services/ocs/pkg/service/v0/response/response.go:40:26: response.Response.MarshalXML calls xml.Encoder.EncodeElement, which eventually calls http.persistConnWriter.Write
      #92: ocis-pkg/oidc/client.go:242:2: oidc.oidcClient.UserInfo calls http.readTrackingBody.Close
      #93: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.readTrackingBody.Read
      #94: services/search/pkg/query/kql/dictionary_gen.go:2812:22: kql.ParseReader calls io.ReadAll, which calls http.readWriteCloserBody.Read
      #95: services/sse/pkg/service/service.go:89:17: service.SSE.HandleSSE calls sse.Server.ServeHTTP, which calls http.response.Flush
      #96: services/antivirus/pkg/service/service.go:100:23: service.Antivirus.Run calls io.Copy, which eventually calls http.response.ReadFrom
      #97: services/web/pkg/service/v0/service.go:136:22: service.Web.Config calls http.response.Write
      #98: services/graph/pkg/service/v0/drives.go:1171:16: service.Graph.DeleteDrive calls http.response.WriteHeader
      #99: ocis-pkg/handlers/debughandlers.go:29:26: handlers.Ready calls io.WriteString, which calls http.response.WriteString
      #100: services/web/pkg/service/v0/service.go:136:22: service.Web.Config calls http.timeoutWriter.Write
      #101: services/graph/pkg/service/v0/drives.go:1171:16: service.Graph.DeleteDrive calls http.timeoutWriter.WriteHeader
      #102: services/search/pkg/query/kql/dictionary_gen.go:3010:40: kql.parserError.Error calls http.transportReadFromServerError.Error

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2024-2631
    Decompression bomb vulnerability in github.com/go-jose/go-jose
  More info: https://pkg.go.dev/vuln/GO-2024-2631
  Module: gopkg.in/square/go-jose.v2
    Found in: gopkg.in/square/go-jose.v2@v2.6.0
    Fixed in: N/A

Your code is affected by 1 vulnerability from 1 module and the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback.
make: *** [Makefile:280: govulncheck] Error 3

[micbar]

We need to bump the golangci docker image

[rhafer]

@micbar AFAICS https://github.com/owncloud-ci/golang/pull/139 brings go1.22.2 (I don't have permsission to merge it)

[micbar]

Merged

[rhafer]

Seems we need to bump golang.org/x/net as well.