Skip to content

Go vulnerability check failed #27

New issue
New issue
Open
Open
Go vulnerability check failed#27
@oxf71

Description

@oxf71
oxf71
opened on Jan 24, 2024
 git rev-parse --short=7 HEAD
bd1db00
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
Scanning your code and 804 packages across 141 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2024-2466
    Denial of service in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2466
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/v5@v5.10.0
    Fixed in: github.com/go-git/go-git/v5@v5.11.0
    Example traces found:
      #1: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.Branch.Validate
      #2: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone
      #3: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.Config.Validate
      #4: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ConfigStorage.Config
      #5: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ConfigStorage.SetConfig
      #6: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls dotgit.DotGit.Alternates
      #7: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ModuleStorage.Module
      #8: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.NewStorage
      #9: etherman/etherman.go:1097:83: etherman.Client.GetL1GasPrice calls git.NoMatchingRefSpecError.Error
      #10: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ObjectStorage.EncodedObject
      #11: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.ReadConfig
      #12: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.RemoteConfig.Validate

Vulnerability #2: GO-2024-2456
    Path traversal and RCE in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2456
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/v5@v5.10.0
    Fixed in: github.com/go-git/go-git/v5@v5.11.0
    Example traces found:
      #1: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.Branch.Validate
      #2: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone
      #3: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.Config.Validate
      #4: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ConfigStorage.Config
      #5: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ConfigStorage.SetConfig
      #6: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls dotgit.DotGit.Alternates
      #7: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ModuleStorage.Module
      #8: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.NewStorage
      #9: etherman/etherman.go:1097:83: etherman.Client.GetL1GasPrice calls git.NoMatchingRefSpecError.Error
      #10: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ObjectStorage.EncodedObject
      #11: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.ReadConfig
      #12: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.RemoteConfig.Validate

Vulnerability #3: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.14.0
    Fixed in: golang.org/x/crypto@v0.17.0
    Example traces found:
      #1: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.Client.NewSession
      #2: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.NewClient
      #3: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.NewClientConn
      #4: test/operations/wait.go:210:25: operations.NodeUpCondition calls io.ReadAll, which eventually calls ssh.Session.Close
      #5: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.Session.Start
      #6: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.channel.Close
      #7: test/scripts/cmd/compilesc/manager.go:225:14: compilesc.Manager.Abigen calls exec.Cmd.Run, which eventually calls ssh.channel.CloseWrite
      #8: test/operations/wait.go:210:25: operations.NodeUpCondition calls io.ReadAll, which eventually calls ssh.channel.Read
      #9: jsonrpc/client/client.go:103:2: client.JSONRPCBatchCall calls http.body.Close, which eventually calls ssh.channel.Write
      #10: test/operations/wait.go:210:25: operations.NodeUpCondition calls io.ReadAll, which eventually calls ssh.extChannel.Read
      #11: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.sessionStdin.Close

Vulnerability #4: GO-2023-2382
    Denial of service via chunk extensions in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2382
  Standard library
    Found in: net/http/internal@go1.21.4
    Fixed in: net/http/internal@go1.21.5
    Example traces found:
      #1: test/operations/wait.go:210:25: operations.NodeUpCondition calls io.ReadAll, which eventually calls internal.chunkedReader.Read

Vulnerability #5: GO-2023-2185
    Insecure parsing of Windows paths with a \??\ prefix in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2185
  Standard library
    Found in: path/filepath@go1.21.4
    Fixed in: path/filepath@go1.21.5
    Platforms: windows
    Example traces found:
      #1: test/scripts/cmd/compilesc/manager.go:225:14: compilesc.Manager.Abigen calls exec.Cmd.Run, which eventually calls filepath.Abs
      #2: test/scripts/cmd/compilesc/manager.go:225:14: compilesc.Manager.Abigen calls exec.Cmd.Run, which eventually calls filepath.Abs
      #3: test/vectors/statetransition_v2.go:32:55: vectors.LoadStateTransitionTestCaseV2 calls filepath.Base
      #4: test/vectors/statetransition_v2.go:32:55: vectors.LoadStateTransitionTestCaseV2 calls filepath.Base
      #5: test/scripts/cmd/dependencies/github.go:205:39: dependencies.AdapterFs.RemoveAll calls filepath.Clean
      #6: test/scripts/cmd/dependencies/github.go:205:39: dependencies.AdapterFs.RemoveAll calls filepath.Clean
      #7: test/operations/manager.go:546:22: operations.runCmd calls filepath.Dir
      #8: test/operations/manager.go:546:22: operations.runCmd calls filepath.Dir
      #9: state/state.go:45:9: state.NewState calls sync.Once.Do, which eventually calls filepath.EvalSymlinks
      #10: state/state.go:45:9: state.NewState calls sync.Once.Do, which eventually calls filepath.EvalSymlinks
      #11: state/state.go:45:9: state.NewState calls sync.Once.Do, which eventually calls filepath.Glob
      #12: state/state.go:45:9: state.NewState calls sync.Once.Do, which eventually calls filepath.Glob
      #13: test/scripts/cmd/dependencies/github.go:200:22: dependencies.AdapterFs.Join calls filepath.Join
      #14: test/scripts/cmd/dependencies/github.go:200:22: dependencies.AdapterFs.Join calls filepath.Join
      #15: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filepath.Rel
      #16: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filepath.Rel
      #17: config/config.go:146:38: config.Load calls filepath.Split
      #18: config/config.go:146:38: config.Load calls filepath.Split
      #19: test/scripts/cmd/compilesc/manager.go:225:14: compilesc.Manager.Abigen calls exec.Cmd.Run, which eventually calls filepath.VolumeName
      #20: test/scripts/cmd/compilesc/manager.go:225:14: compilesc.Manager.Abigen calls exec.Cmd.Run, which eventually calls filepath.VolumeName
      #21: cmd/jsonschema.go:15:53: cmd.genJSONSchema calls jsonschema.Reflector.AddGoComments, which eventually calls filepath.Walk
      #22: cmd/jsonschema.go:15:53: cmd.genJSONSchema calls jsonschema.Reflector.AddGoComments, which eventually calls filepath.Walk
      #23: test/scripts/cmd/compilesc/manager.go:133:26: compilesc.parallelActions calls filepath.WalkDir
      #24: test/scripts/cmd/compilesc/manager.go:133:26: compilesc.parallelActions calls filepath.WalkDir

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no
call stacks leading to the use of this vulnerability. There are also 2
vulnerabilities in modules that you require that are neither imported
nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2024-2453
    Timing side channel in github.com/cloudflare/circl
  More info: https://pkg.go.dev/vuln/GO-2024-2453
  Module: github.com/cloudflare/circl
    Found in: github.com/cloudflare/circl@v1.3.3
    Fixed in: github.com/cloudflare/circl@v1.3.7

Vulnerability #2: GO-2023-2101
    Incorrect exponentiation results in github.com/consensys/gnark-crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2101
  Module: github.com/consensys/gnark-crypto
    Found in: github.com/consensys/gnark-crypto@v0.10.0
    Fixed in: github.com/consensys/gnark-crypto@v0.12.1

Vulnerability #3: GO-2023-2096
    Signature malleability in github.com/consensys/gnark-crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2096
  Module: github.com/consensys/gnark-crypto
    Found in: github.com/consensys/gnark-crypto@v0.10.0
    Fixed in: github.com/consensys/gnark-crypto@v0.12.0

Your code is affected by 5 vulnerabilities from 2 modules and the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions