update dependencies to clear security vulns #494
Conversation
|
If approved, please can we cut a new release as well. |
|
Hi @nycnewman, which specific vulns affect grpcurl? |
|
According to table included above there are issues in golang.org/x/net and stdlib (one critical). Issue show in Trivy and other scanners for the Go dependencies for release 1.9.1 |
|
Right, I'm asking which one(s) are exploitable / directly affect |
|
Aha... there's the fun of vuln mgt. We include grpcurl in a Docker image and when that get scanned the issues with the libraries get highlighted. In particular Microsoft refuses to allow Docker images with High or Critical vulnerabilities into Azure marketplace and thus refuse this image. So this is more about keeping libraries up to date rather than specifically exploitable via code path. Until SBOM/VEX matures and allow us and you to explain that this is not exploitable, we get pushed to update to latest libraries. |
|
Understood. Well, here's the deal:
So, net-net, without a clear, direct threat model on how a specifc vuln directly affects grpcurl, our policy is not to reactively update dependencies simply because some vuln exists in the world. We don't wish to take part in supporting the madness you're dealing with, or in perpetuating the myth that an old library with a known, benign vulnerability is somehow worse than a brand new library whose vulnerabilities are as yet unknown but might actually be worse. |
| @@ -1,31 +1,31 @@ | |||
| module github.com/fullstorydev/grpcurl | |||
|
|
|||
| go 1.19 | |||
There was a problem hiding this comment.
That being said, our min supported version right now is actually go 1.21, so if we wanted to just update this directive to go 1.21 and then see what dependabot does from there, that would be acceptable
|
OK. I'll close out this PR, try this and resubmit if it gets us to a clean binary |
Current trivy scan of 1.9.1 shows:
bin/grpcurl (gobinary)
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 1)
┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM │ fixed │ v0.22.0 │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
├──────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ │ v1.21.9 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34156 │ HIGH │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24789 │ MEDIUM │ │ │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24791 │ │ │ │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │
│ │ │ │ │ │ │ handling in net/http │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34155 │ │ │ │ 1.22.7, 1.23.1 │ go/parser: golang: Calling any of the Parse functions │
│ │ │ │ │ │ │ containing deeply nested literals... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34155 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34158 │ │ │ │ │ go/build/constraint: golang: Calling Parse on a "// +build" │
│ │ │ │ │ │ │ build tag line with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34158 │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘