search

umputun / reproxy

Simple edge server / reverse proxy
http://reproxy.io
MIT License
1.21k stars 90 forks source link

trivy action and configuration #149

Closed damianoneill closed 7 months ago

damianoneill commented 1 year ago

Hi @umputun thanks for your work on reproxy.

Please consider this GitHub workflow for using trivy to identify security vulnerabilities in reproxy.

The action will run on commits to master and will identify any security issues identified by trivy against the docker image, it will use the config defined in the ./trivy.yaml for what it should do on the workflow execution. Currently, it is configured to identify Critical and High issues in the OS and Libraries.

You can set the exit code to 0 if you don't want the workflow to fail if it identifies vuln's.

Thanks, Damian.

damianoneill commented 1 year ago

fyi it's currently showing one issue. 

srv/reproxy (gobinary)
======================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                            Title                            │
├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-[27](https://github.com/damianoneill/reproxy/actions/runs/3253323108/jobs/5340483552#step:5:28)664 │ HIGH     │ v0.0.0-20220412020605-[29](https://github.com/damianoneill/reproxy/actions/runs/3253323108/jobs/5340483552#step:5:30)0c469a71a5 │ 0.0.0-20220906165146-f[33](https://github.com/damianoneill/reproxy/actions/runs/3253323108/jobs/5340483552#step:5:34)63e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│                  │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                  │
└──────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘
damianoneill commented 1 year ago

resolved by updating golang.org/x/net to 0.0.0-20220906165146-f3363e06e74c

damianoneill commented 1 year ago

@umputun I can raise a separate PR to resolve the trivy issue if you'd like?

umputun commented 1 year ago

I wonder if we need another third-party service for this. What about https://go.dev/blog/vuln ?

damianoneill commented 1 year ago

Interestingly it identified different Critical vul's 

➜  reproxy git:(master) govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.

Vulnerability #1: GO-2022-1039
  Programs which compile regular expressions from untrusted
  sources may be vulnerable to memory exhaustion or denial of
  service. The parsed regexp representation is linear in the size
  of the input, but in some cases the constant factor can be as
  high as 40,000, making relatively small regexps consume much
  larger amounts of memory. After fix, each regexp being parsed is
  limited to a 256 MB memory footprint. Regular expressions whose
  representation would use more space than that are rejected.
  Normal use of regular expressions is unaffected.

  Call stacks in your code:
      app/discovery/provider/consulcatalog/consulcatalog.go:172:34: github.com/umputun/reproxy/app/discovery/provider/consulcatalog.ConsulCatalog.List calls regexp.Compile, which eventually calls regexp/syntax.Parse

  Found in: regexp/syntax@go1.19.1
  Fixed in: regexp/syntax@go1.19.2
  More info: https://pkg.go.dev/vuln/GO-2022-1039

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-1038
  Requests forwarded by ReverseProxy include the raw query parameters from
  the inbound request, including unparseable parameters rejected by net/http.
  This could permit query parameter smuggling when a Go proxy forwards a
  parameter with an unparseable value.

  After fix, ReverseProxy sanitizes the query parameters in the forwarded
  query when the outbound request's Form field is set after the ReverseProxy.
  Director function returns, indicating that the proxy has parsed the query
  parameters. Proxies which do not parse query parameters continue to forward
  the original query parameters unchanged.

  Found in: net/http/httputil@go1.19.1
  Fixed in: net/http/httputil@go1.19.2
  More info: https://pkg.go.dev/vuln/GO-2022-1038