search

pulumi / pulumi-dotnet

.NET support for Pulumi
Apache License 2.0
28 stars 25 forks source link

Vulnerabilities in pulumi-language-dotnet due to github.com/go-git/go-git/v5 v5.4.2 #273

Closed robcao closed 5 months ago

robcao commented 5 months ago

What happened?

We're building a custom image with Pulumi and .NET, and we're seeing high vulnerabilities from the pulumi-language-dotnet binary as a result of github.com/go-git/v5 being on v5.4.2.

The CVEs are:

The recommended fix is to upgrade to 5.11.0. There is a dependabot PR to upgrade the package here: https://github.com/pulumi/pulumi-dotnet/pull/214.

There are several dependabot updates for packages in this repository that don't seem to be merged (such as for protobuf). What would it take to get them merged? I am willing to do the work. It looks as if the only change required is to update the changelog.

Example

Pull the latest pulumi/pulumi-dotnet image.

docker pull pulumi/pulumi-dotnet:3.118.0

Scan it with Trivy:

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image pulumi/pulumi-dotnet:3.118.0

View the following vulnerabilities in pulumi-language-dotnet:

pulumi/bin/pulumi-language-dotnet (gobinary)
============================================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 1)

┌─────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│           Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/go-git/go-git/v5 │ CVE-2023-49569 │ CRITICAL │ fixed  │ v5.4.2            │ 5.11.0        │ go-git: Maliciously crafted Git server replies can lead to   │
│                             │                │          │        │                   │               │ path traversal and...                                        │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-49569                   │
│                             ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│                             │ CVE-2023-49568 │ HIGH     │        │                   │               │ go-git: Maliciously crafted Git server replies can cause DoS │
│                             │                │          │        │                   │               │ on go-git clients...                                         │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-49568                   │
├─────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto         │ CVE-2023-48795 │ MEDIUM   │        │ v0.14.0           │ 0.17.0        │ ssh: Prefix truncation attack on Binary Packet Protocol      │
│                             │                │          │        │                   │               │ (BPP)                                                        │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-48795                   │
├─────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net            │ CVE-2023-45288 │          │        │ v0.17.0           │ 0.23.0        │ golang: net/http, x/net/http2: unlimited number of           │
│                             │                │          │        │                   │               │ CONTINUATION frames causes DoS                               │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
├─────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf  │ CVE-2024-24786 │          │        │ v1.30.0           │ 1.33.0        │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                             │                │          │        │                   │               │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                             │                │          │        │                   │               │ certain forms of...                                          │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
└─────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Output of pulumi about

n/A

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

justinvp commented 5 months ago

Thanks for the heads-up @robcao! We'll get the dependencies updated.