search

testcontainers / testcontainers-go

Testcontainers for Go is a Go package that makes it simple to create and clean up container-based dependencies for automated integration/smoke tests. The clean, easy-to-use API enables developers to programmatically define containers that should be run as part of a test and clean up those resources when the test is done.
https://golang.testcontainers.org
MIT License
3.59k stars 497 forks source link

[Bug]: Vulnerability Report: GO-2023-1621 #935

Closed lmitelman closed 6 months ago

lmitelman commented 1 year ago

Testcontainers version

0.19.0

Using the latest Testcontainers version?

Yes

Host OS

Linux

Host arch

ARM

Go version

1.20

Docker version

20.10.13

Docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.8.1)
  compose: Docker Compose (Docker Inc., v2.3.3)
  scan: Docker Scan (Docker Inc., v0.17.0)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 8
 Server Version: 20.10.13
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2a1d4dbdb2a1030dc5b01e96fb110a9d9f150ecc
 runc version: v1.0.3-0-gf46b6ba
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.10.104-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 7.667GiB
 Name: docker-desktop
 ID: O6RA:BAA5:FBCA:IOWG:EDNE:XUAN:GSTB:HCOV:YOH7:QB53:XGHO:L3XP
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5000
  127.0.0.0/8
 Live Restore Enabled: false

What happened?

A new vulnerability was found in the crypto dependency, which is used by testcontainers!

I strongly recommend bumping that dependency, as SonarQube and other tools do not let pipelines through!

Vulnerability #1: GO-2023-1621
  The ScalarMult and ScalarBaseMult methods of the P256 Curve may
  return an incorrect result if called with some specific
  unreduced scalars (a scalar larger than the order of the curve).
  This does not impact usages of crypto/ecdsa or crypto/ecdh.

  More info: https://pkg.go.dev/vuln/GO-2023-1621

  Standard library
    Found in: crypto/internal/nistec@go1.20.1
    Fixed in: crypto/internal/nistec@go1.20.2

Relevant log output

Vulnerability #1: GO-2023-1621
  The ScalarMult and ScalarBaseMult methods of the P256 Curve may
  return an incorrect result if called with some specific
  unreduced scalars (a scalar larger than the order of the curve).
  This does not impact usages of crypto/ecdsa or crypto/ecdh.

  More info: https://pkg.go.dev/vuln/GO-2023-1621

  Standard library
    Found in: crypto/internal/nistec@go1.20.1
    Fixed in: crypto/internal/nistec@go1.20.2

Additional information

https://pkg.go.dev/vuln/GO-2023-1621

mdelapenya commented 6 months ago

I think we can close this, as the project is using 1.21 as lower version. Thanks!