search

rexagod / jirabot

Automated JIRA workflows.
GNU General Public License v3.0
0 stars 0 forks source link

Generate ProdSec auto-responses #1

Closed rexagod closed 1 month ago

rexagod commented 1 month ago

For cases where ProdSec bot opens up a ticket corresponding to a CVE that we are not directly affected by, i.e., none of the codepaths in the codebase use the affected symbols, do the following:

cc @jan--f

rexagod commented 1 month ago 
┌[rexagod@nebuchadnezzar] [/dev/ttys001] [release-4.17] [3]
└[~/repositories/work/cluster-monitoring-operator]> # CVE-2024-24789 is evident pre-1.21.11 (for go1.21)
┌[rexagod@nebuchadnezzar] [/dev/ttys001] [release-4.17] [3]
└[~/repositories/work/cluster-monitoring-operator]> gvm install 1.21.10 && gvm use 1.21.10
Downloading 100% [===============] (65/65 MB, 3.7 MB/s)
Computing checksum with SHA256
Checksums matched
Now using go1.21.10
go version go1.21.10 darwin/arm64
┌[rexagod@nebuchadnezzar] [/dev/ttys001] [release-4.17]
└[~/repositories/work/cluster-monitoring-operator]> go version
go version go1.21.10 darwin/arm64
┌[rexagod@nebuchadnezzar] [/dev/ttys001] [release-4.17]
└[~/repositories/work/cluster-monitoring-operator]> go mod tidy && go mod vendor && /opt/homebrew/Cellar/govulncheck/1.1.3/bin/govulncheck ./...
zsh: correct './...' to './..' [nyae]? n
=== Symbol Results ===

Vulnerability #1: GO-2024-2963
    Denial of service due to improper 100-continue handling in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2963
  Standard library
    Found in: net/http@go1.21.10
    Fixed in: net/http@go1.21.12
    Example traces found:
      #1: test/e2e/framework/client.go:108:43: framework.PrometheusClient.Do calls http.Client.Do
      #2: test/e2e/framework/client.go:128:23: framework.WrapTransport calls http.Transport.RoundTrip

Vulnerability #2: GO-2024-2887
    Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in
    net/netip
  More info: https://pkg.go.dev/vuln/GO-2024-2887
  Standard library
    Found in: net/netip@go1.21.10
    Fixed in: net/netip@go1.21.11
    Example traces found:
      #1: examples/example-app/main.go:46:31: example.main calls http.ListenAndServe, which eventually calls netip.Addr.IsLoopback
      #2: examples/example-app/main.go:46:31: example.main calls http.ListenAndServe, which eventually calls netip.Addr.IsMulticast

Your code is affected by 2 vulnerabilities from the Go standard library.
This scan also found 1 vulnerability in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
┌[rexagod@nebuchadnezzar] [/dev/ttys001] [release-4.17] [3]
└[~/repositories/work/cluster-monitoring-operator]> go mod tidy && go mod vendor && /opt/homebrew/Cellar/govulncheck/1.1.3/bin/govulncheck -show verbose ./...
zsh: correct './...' to './..' [nyae]? n
Scanning your code and 1389 packages across 124 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2963
    Denial of service due to improper 100-continue handling in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2963
  Standard library
    Found in: net/http@go1.21.10
    Fixed in: net/http@go1.21.12
    Example traces found:
      #1: test/e2e/framework/client.go:108:43: framework.PrometheusClient.Do calls http.Client.Do
      #2: test/e2e/framework/client.go:128:23: framework.WrapTransport calls http.Transport.RoundTrip

Vulnerability #2: GO-2024-2887
    Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in
    net/netip
  More info: https://pkg.go.dev/vuln/GO-2024-2887
  Standard library
    Found in: net/netip@go1.21.10
    Fixed in: net/netip@go1.21.11
    Example traces found:
      #1: examples/example-app/main.go:46:31: example.main calls http.ListenAndServe, which eventually calls netip.Addr.IsLoopback
      #2: examples/example-app/main.go:46:31: example.main calls http.ListenAndServe, which eventually calls netip.Addr.IsMulticast

=== Package Results ===

Vulnerability #1: GO-2024-2918
    Azure Identity Libraries Elevation of Privilege Vulnerability in
    github.com/Azure/azure-sdk-for-go/sdk/azidentity
  More info: https://pkg.go.dev/vuln/GO-2024-2918
  Module: github.com/Azure/azure-sdk-for-go/sdk/azidentity
    Found in: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.4.0
    Fixed in: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.6.0

=== Module Results ===

Vulnerability #1: GO-2024-2888
    Mishandling of corrupt central directory record in archive/zip
  More info: https://pkg.go.dev/vuln/GO-2024-2888
  Standard library
    Found in: stdlib@go1.21.10
    Fixed in: stdlib@go1.21.11

Vulnerability #2: GO-2022-0646
    Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go
  More info: https://pkg.go.dev/vuln/GO-2022-0646
  Module: github.com/aws/aws-sdk-go
    Found in: github.com/aws/aws-sdk-go@v1.45.25
    Fixed in: N/A

Your code is affected by 2 vulnerabilities from the Go standard library.
This scan also found 1 vulnerability in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
rexagod commented 1 month ago

The support ticket I raised (based on the feedback I got in #help-product-security) seems to have been transitioned to CEE: service-now link. I put down the requested time of addressal as two weeks so there's still time left.

rexagod commented 1 month ago

[Post-sync with Jan] Instead of making hard-changes (changing status to closed or reassigning to the ART team in certain cases), comment the deductions to cut short the research effort for the current assignee. These would include information about:

rexagod commented 1 month ago

[Discussed in call] The bot should not overlap with other teams' automations.