Closed damianoneill closed 7 months ago
fyi it's currently showing one issue.
srv/reproxy (gobinary)
======================
Total: 1 (HIGH: 1, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-[27](https://github.com/damianoneill/reproxy/actions/runs/3253323108/jobs/5340483552#step:5:28)664 │ HIGH │ v0.0.0-20220412020605-[29](https://github.com/damianoneill/reproxy/actions/runs/3253323108/jobs/5340483552#step:5:30)0c469a71a5 │ 0.0.0-20220906165146-f[33](https://github.com/damianoneill/reproxy/actions/runs/3253323108/jobs/5340483552#step:5:34)63e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
└──────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘
resolved by updating golang.org/x/net to 0.0.0-20220906165146-f3363e06e74c
@umputun I can raise a separate PR to resolve the trivy issue if you'd like?
I wonder if we need another third-party service for this. What about https://go.dev/blog/vuln ?
Interestingly it identified different Critical vul's
➜ reproxy git:(master) govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.
Vulnerability #1: GO-2022-1039
Programs which compile regular expressions from untrusted
sources may be vulnerable to memory exhaustion or denial of
service. The parsed regexp representation is linear in the size
of the input, but in some cases the constant factor can be as
high as 40,000, making relatively small regexps consume much
larger amounts of memory. After fix, each regexp being parsed is
limited to a 256 MB memory footprint. Regular expressions whose
representation would use more space than that are rejected.
Normal use of regular expressions is unaffected.
Call stacks in your code:
app/discovery/provider/consulcatalog/consulcatalog.go:172:34: github.com/umputun/reproxy/app/discovery/provider/consulcatalog.ConsulCatalog.List calls regexp.Compile, which eventually calls regexp/syntax.Parse
Found in: regexp/syntax@go1.19.1
Fixed in: regexp/syntax@go1.19.2
More info: https://pkg.go.dev/vuln/GO-2022-1039
=== Informational ===
The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability #1: GO-2022-1038
Requests forwarded by ReverseProxy include the raw query parameters from
the inbound request, including unparseable parameters rejected by net/http.
This could permit query parameter smuggling when a Go proxy forwards a
parameter with an unparseable value.
After fix, ReverseProxy sanitizes the query parameters in the forwarded
query when the outbound request's Form field is set after the ReverseProxy.
Director function returns, indicating that the proxy has parsed the query
parameters. Proxies which do not parse query parameters continue to forward
the original query parameters unchanged.
Found in: net/http/httputil@go1.19.1
Fixed in: net/http/httputil@go1.19.2
More info: https://pkg.go.dev/vuln/GO-2022-1038
Hi @umputun thanks for your work on reproxy.
Please consider this GitHub workflow for using trivy to identify security vulnerabilities in reproxy.
The action will run on commits to master and will identify any security issues identified by trivy against the docker image, it will use the config defined in the ./trivy.yaml for what it should do on the workflow execution. Currently, it is configured to identify Critical and High issues in the OS and Libraries.
You can set the exit code to 0 if you don't want the workflow to fail if it identifies vuln's.
Thanks, Damian.