intelligentfu
commented
1 day ago Oh, the image is built with github action, the dockerfile use 1.19 as builder not match go.mod. I will fix it in the next patch version. I will look into Trivy to check our code. thanks for your work.
Our scanner (Trivy) is showing the following critical vulnerability: https://avd.aquasec.com/nvd/2024/cve-2024-24790/
👉 According to our scanner, the image has been built with go 1.19.13, which does match with
go.modfile.The following is to run
govulncheckagainst the branch supposeldly used to build operator image version 1.6.0:
```text === Symbol Results === Vulnerability #1: GO-2024-2963 Denial of service due to improper 100-continue handling in net/http More info: https://pkg.go.dev/vuln/GO-2024-2963 Standard library Found in: net/http@go1.21.7 Fixed in: net/http@go1.21.12 Example traces found: #1: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which calls http.Client.Do Vulnerability #2: GO-2024-2887 Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip More info: https://pkg.go.dev/vuln/GO-2024-2887 Standard library Found in: net/netip@go1.21.7 Fixed in: net/netip@go1.21.11 Example traces found: #1: cmd/doris-debug/main.go:29:31: doris.main calls http.ListenAndServe, which eventually calls netip.Addr.IsLoopback #2: cmd/doris-debug/main.go:29:31: doris.main calls http.ListenAndServe, which eventually calls netip.Addr.IsMulticast Vulnerability #3: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.16.0 Fixed in: golang.org/x/net@v0.23.0 Example traces found: #1: client/clientset/versioned/clientset.go:67:39: versioned.NewForConfig calls rest.HTTPClientFor, which eventually calls http2.ConfigureTransports #2: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http2.ConnectionError.Error #3: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.ErrCode.String #4: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.FrameHeader.String #5: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.FrameType.String #6: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http2.GoAwayError.Error #7: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.Setting.String #8: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.SettingID.String #9: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http2.StreamError.Error #10: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http2.Transport.NewClientConn #11: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http2.Transport.RoundTrip #12: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http2.chunkWriter.Write #13: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http2.connError.Error #14: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which calls http2.duplicatePseudoHeaderError.Error #15: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http2.gzipReader.Close #16: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http2.gzipReader.Read #17: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which calls http2.headerFieldNameError.Error #18: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which calls http2.headerFieldValueError.Error #19: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http2.noDialH2RoundTripper.RoundTrip #20: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which calls http2.pseudoHeaderError.Error #21: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http2.stickyErrWriter.Write #22: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http2.transportResponseBody.Close #23: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http2.transportResponseBody.Read #24: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http2.writeData.String Standard library Found in: net/http@go1.21.7 Fixed in: net/http@go1.21.9 Example traces found: #1: cmd/operator/main.go:133:48: operator.main calls manager.controllerManager.GetWebhookServer, which eventually calls http.CanonicalHeaderKey #2: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which calls http.Client.Do #3: client/clientset/versioned/typed/doris/v1/doriscluster.go:190:7: doris.dorisClusters.Patch calls rest.Request.Body, which eventually calls http.Header.Add #4: client/clientset/versioned/typed/doris/v1/doriscluster.go:190:7: doris.dorisClusters.Patch calls rest.Request.Body, which eventually calls http.Header.Del #5: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.Header.Get #6: cmd/doris-debug/main.go:29:31: doris.main calls http.ListenAndServe #7: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.NewRequest #8: cmd/operator/main.go:154:21: operator.main calls manager.controllerManager.Start, which eventually calls http.Server.Serve #9: cmd/operator/main.go:154:21: operator.main calls manager.controllerManager.Start, which eventually calls http.Server.Shutdown #10: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.body.Close #11: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.body.Read #12: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.bodyEOFSignal.Close #13: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.bodyEOFSignal.Read #14: pkg/common/utils/resource/configmap.go:103:20: resource.ResolveConfigMaps calls viper.ReadConfig, which eventually calls http.bodyLocked.Read #15: pkg/common/utils/mysql/mysql.go:39:20: mysql.DB.Close calls sql.DB.Close, which eventually calls http.bufioFlushWriter.Write #16: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.cancelTimerBody.Close #17: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.cancelTimerBody.Read #18: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.checkConnErrorWriter.Write #19: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.chunkWriter.Write #20: pkg/common/utils/resource/configmap.go:103:20: resource.ResolveConfigMaps calls viper.ReadConfig, which eventually calls http.connReader.Read #21: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.expectContinueReader.Close #22: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.expectContinueReader.Read #23: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.gzipReader.Close #24: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.gzipReader.Read #25: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2ConnectionError.Error #26: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2ErrCode.String #27: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2FrameHeader.String #28: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2FrameType.String #29: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2FrameWriteRequest.String #30: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2GoAwayError.Error #31: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2Setting.String #32: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2SettingID.String #33: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2StreamError.Error #34: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.http2chunkWriter.Write #35: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2connError.Error #36: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2duplicatePseudoHeaderError.Error #37: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.http2gzipReader.Close #38: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.http2gzipReader.Read #39: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2headerFieldNameError.Error #40: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2headerFieldValueError.Error #41: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.http2pseudoHeaderError.Error #42: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.http2requestBody.Close #43: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.http2requestBody.Read #44: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.http2responseWriter.Write #45: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.http2responseWriter.WriteHeader #46: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which eventually calls http.http2responseWriter.WriteString #47: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.http2stickyErrWriter.Write #48: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.http2transportResponseBody.Close #49: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.http2transportResponseBody.Read #50: pkg/common/utils/hash/hash.go:26:19: hash.HashObject calls fmt.Sprint, which eventually calls http.http2writeData.String #51: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.loggingConn.Write #52: pkg/common/utils/resource/configmap.go:103:20: resource.ResolveConfigMaps calls viper.ReadConfig, which eventually calls http.maxBytesReader.Read #53: cmd/operator/main.go:133:48: operator.main calls manager.controllerManager.GetWebhookServer, which eventually calls http.onceCloseListener.Close #54: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.persistConn.Read #55: pkg/common/utils/mysql/mysql.go:39:20: mysql.DB.Close calls sql.DB.Close, which eventually calls http.persistConnWriter.ReadFrom #56: pkg/common/utils/hash/hash.go:41:17: hash.WriteHashObject calls spew.ConfigState.Fprintf, which eventually calls http.persistConnWriter.Write #57: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which eventually calls http.readTrackingBody.Close #58: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.readTrackingBody.Read #59: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls http.readWriteCloserBody.Read #60: pkg/common/utils/mysql/mysql.go:39:20: mysql.DB.Close calls sql.DB.Close, which eventually calls http.response.ReadFrom #61: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.response.Write #62: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.response.WriteHeader #63: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls json.UnmarshalStrictError.Error, which eventually calls http.response.WriteString #64: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.timeoutWriter.Write #65: cmd/doris-debug/main.go:26:13: doris.main calls fmt.Println, which eventually calls http.timeoutWriter.WriteHeader #66: pkg/common/utils/k8s/client.go:220:123: k8s.GetConfigMaps calls http.transportReadFromServerError.Error Vulnerability #4: GO-2024-2600 Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http More info: https://pkg.go.dev/vuln/GO-2024-2600 Standard library Found in: net/http@go1.21.7 Fixed in: net/http@go1.21.8 Example traces found: #1: client/clientset/versioned/typed/doris/v1/doriscluster.go:108:8: doris.dorisClusters.Watch calls rest.Request.Watch, which calls http.Client.Do Vulnerability #5: GO-2024-2599 Memory exhaustion in multipart form parsing in net/textproto and net/http More info: https://pkg.go.dev/vuln/GO-2024-2599 Standard library Found in: net/textproto@go1.21.7 Fixed in: net/textproto@go1.21.8 Example traces found: #1: cmd/doris-debug/main.go:29:31: doris.main calls http.ListenAndServe, which eventually calls textproto.Reader.ReadLine #2: cmd/doris-debug/main.go:29:31: doris.main calls http.ListenAndServe, which eventually calls textproto.Reader.ReadMIMEHeader Vulnerability #6: GO-2024-2598 Verify panics on certificates with an unknown public key algorithm in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2024-2598 Standard library Found in: crypto/x509@go1.21.7 Fixed in: crypto/x509@go1.21.8 Example traces found: #1: pkg/common/utils/certificate/certificate.go:50:25: certificate.NewCAConfigSecret calls rand.Int, which eventually calls x509.Certificate.Verify Your code is affected by 6 vulnerabilities from the Go standard library. This scan also found 2 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. ```SEE FULL REPORT