Horusec report about vulnerabilities

[ErnestK]

💎 Issue

Description

Hello,

I've been considering participating in the project and contributing. My attention was drawn to this task, https://github.com/prysmaticlabs/prysm/issues/9975.

I ran horusec-beta on prysm, and the result was a bit different than I expected.

==================================================================================

In this analysis, a total of 60 possible vulnerabilities were found and we classified them into:
Total of Vulnerability CRITICAL is: 18
Total of Vulnerability HIGH is: 22
Total of Vulnerability MEDIUM is: 16
Total of Vulnerability LOW is: 4

==================================================================================

Most vulnerabilities are related to library versions, but they can be fixed.

Are library updates covered by tests? Should I take on this task?

ps report attached below

horusec_report.json

[prestonvanloon]

gm @ErnestK, thanks for this report. I think there are some opportunities here to grab the low hanging fruit.

• Dependency updates that don't require major code changes in Prysm
• Adding horusec exclusions for things that are not really issues. (Is there a way to tell horusec to ignore a particular violation? i.e. // horusec: ignore HS-LEAKS-26 )

To make things easier for review, I recommend sending multiple PRs to resolve the issues. I.e. send all minor dependency updates in one PR, any exclusions in another PR, any individual fixes in their own PRs. This makes review easier and makes maintainer bug hunting easier as we could review better scoped commits for issues.

[prestonvanloon]

@ErnestK are you interested in submitting a PR to resolve some of these reported issues?

[ErnestK]

@prestonvanloon Yes, I will analyze all the issues and endeavor to work on this task. It would be great to include Horusec in the CI process.

[ErnestK]

@prestonvanloon I created the first small pull request (PR) with updates to two gems that require no additional work. Now I'm working on addressing the vulnerabilities from the list, starting with the smallest issues and progressing to the larger ones.

[ErnestK]

I have sorted all vulnerabilities, eliminated duplicates, and ranked them

1. Easiest Updates (Simple Updates):

   • [ ] Refactoring in docker files, fixing MissConfiguration https://github.com/prysmaticlabs/prysm/pull/13942
   • [ ] Update github.com/microcosm-cc/bluemonday from v1.0.1 to v1.0.5 (Minor version increment - patch update), likely straightforward with minimal changes.
   • [ ] Update github.com/nats-io/jwt from v0.3.2 to v2.0.1 (Major version jump), but update might be manageable if backward compatibility is maintained.
   • [ ] Update github.com/dgrijalva/jwt-go from v3.2.0 to 4.0.0-preview1
   • [ ] Update github.com/go-yaml/yaml from v2.1.0 to v2.2.4
   • [ ] Update google.golang.org/protobuf from v1.32.0 to v1.33.0 (Incremental version change - minor update), typically safe with minimal impact. https://github.com/prysmaticlabs/prysm/pull/14024
   • [x] Update golang.org/x/net from v0.21.0 to v0.23.0 (Incremental version change - minor update), may require compatibility checks but generally straightforward. https://github.com/prysmaticlabs/prysm/pull/13912

2. Moderate Updates (Intermediate Updates):

   • [ ] Update github.com/aws/aws-sdk-go from v1.27.0 to v1.34.0 (Moderate version increment - minor update), potentially introducing new features or adjustments.
   • [ ] Update github.com/nats-io/nats-server/v2 from v2.1.2 to v2.7.2 (Incremental version change - minor update), possibly including enhancements or bug fixes.
   • [ ] Update github.com/buger/jsonparser from v0.0.0-20181115193947-bf1c66bbce23 to v1.1.1 (Major version transition - breaking change), may require code adjustments and thorough testing.

3. Complex Updates (Challenging Updates):

   • [ ] Update go.etcd.io/etcd from v0.0.0-20191023171146-3cf2f69b5738 to v3.4.10 (Major version jump - breaking change), likely involving significant updates and compatibility considerations.
   • [ ] Update github.com/elazarl/goproxy from v0.0.0-20180725130230-947c36da3153 to v0.0.0-20230731152917-f99041a5c027 (Major version transition - breaking change), potentially requiring substantial refactoring.
   • [ ] Update github.com/labstack/echo/v4 from v4.2.1 to v4.9.0 (Incremental version change - minor update), may introduce new features or adjustments.
   • [ ] Update github.com/emicklei/go-restful from v0.0.0-20170410110728-ff4f55a20633 to v2.16.0 (Major version jump - breaking change), likely requiring significant code updates and testing.

4. Putting it All Together:

   • [ ] Configure the tool to ignore false positives (such as passwords in tests).
   • [ ] Enable Horusec in CI (Continuous Integration).