Skip to content

Go vulnerability check failed #27

Open
Open
Go vulnerability check failed#27

Description

@oxf71
oxf71
opened on Jan 24, 2024
 git rev-parse --short=7 HEAD
bd1db00
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
Scanning your code and 804 packages across 141 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2024-2466
    Denial of service in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2466
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/v5@v5.10.0
    Fixed in: github.com/go-git/go-git/v5@v5.11.0
    Example traces found:
      #1: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.Branch.Validate
      #2: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone
      #3: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.Config.Validate
      #4: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ConfigStorage.Config
      #5: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ConfigStorage.SetConfig
      #6: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls dotgit.DotGit.Alternates
      #7: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ModuleStorage.Module
      #8: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.NewStorage
      #9: etherman/etherman.go:1097:83: etherman.Client.GetL1GasPrice calls git.NoMatchingRefSpecError.Error
      #10: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ObjectStorage.EncodedObject
      #11: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.ReadConfig
      #12: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.RemoteConfig.Validate

Vulnerability #2: GO-2024-2456
    Path traversal and RCE in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2456
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/v5@v5.10.0
    Fixed in: github.com/go-git/go-git/v5@v5.11.0
    Example traces found:
      #1: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.Branch.Validate
      #2: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone
      #3: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.Config.Validate
      #4: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ConfigStorage.Config
      #5: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ConfigStorage.SetConfig
      #6: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls dotgit.DotGit.Alternates
      #7: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ModuleStorage.Module
      #8: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.NewStorage
      #9: etherman/etherman.go:1097:83: etherman.Client.GetL1GasPrice calls git.NoMatchingRefSpecError.Error
      #10: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filesystem.ObjectStorage.EncodedObject
      #11: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.ReadConfig
      #12: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls config.RemoteConfig.Validate

Vulnerability #3: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.14.0
    Fixed in: golang.org/x/crypto@v0.17.0
    Example traces found:
      #1: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.Client.NewSession
      #2: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.NewClient
      #3: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.NewClientConn
      #4: test/operations/wait.go:210:25: operations.NodeUpCondition calls io.ReadAll, which eventually calls ssh.Session.Close
      #5: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.Session.Start
      #6: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.channel.Close
      #7: test/scripts/cmd/compilesc/manager.go:225:14: compilesc.Manager.Abigen calls exec.Cmd.Run, which eventually calls ssh.channel.CloseWrite
      #8: test/operations/wait.go:210:25: operations.NodeUpCondition calls io.ReadAll, which eventually calls ssh.channel.Read
      #9: jsonrpc/client/client.go:103:2: client.JSONRPCBatchCall calls http.body.Close, which eventually calls ssh.channel.Write
      #10: test/operations/wait.go:210:25: operations.NodeUpCondition calls io.ReadAll, which eventually calls ssh.extChannel.Read
      #11: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls ssh.sessionStdin.Close

Vulnerability #4: GO-2023-2382
    Denial of service via chunk extensions in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2382
  Standard library
    Found in: net/http/internal@go1.21.4
    Fixed in: net/http/internal@go1.21.5
    Example traces found:
      #1: test/operations/wait.go:210:25: operations.NodeUpCondition calls io.ReadAll, which eventually calls internal.chunkedReader.Read

Vulnerability #5: GO-2023-2185
    Insecure parsing of Windows paths with a \??\ prefix in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2185
  Standard library
    Found in: path/filepath@go1.21.4
    Fixed in: path/filepath@go1.21.5
    Platforms: windows
    Example traces found:
      #1: test/scripts/cmd/compilesc/manager.go:225:14: compilesc.Manager.Abigen calls exec.Cmd.Run, which eventually calls filepath.Abs
      #2: test/scripts/cmd/compilesc/manager.go:225:14: compilesc.Manager.Abigen calls exec.Cmd.Run, which eventually calls filepath.Abs
      #3: test/vectors/statetransition_v2.go:32:55: vectors.LoadStateTransitionTestCaseV2 calls filepath.Base
      #4: test/vectors/statetransition_v2.go:32:55: vectors.LoadStateTransitionTestCaseV2 calls filepath.Base
      #5: test/scripts/cmd/dependencies/github.go:205:39: dependencies.AdapterFs.RemoveAll calls filepath.Clean
      #6: test/scripts/cmd/dependencies/github.go:205:39: dependencies.AdapterFs.RemoveAll calls filepath.Clean
      #7: test/operations/manager.go:546:22: operations.runCmd calls filepath.Dir
      #8: test/operations/manager.go:546:22: operations.runCmd calls filepath.Dir
      #9: state/state.go:45:9: state.NewState calls sync.Once.Do, which eventually calls filepath.EvalSymlinks
      #10: state/state.go:45:9: state.NewState calls sync.Once.Do, which eventually calls filepath.EvalSymlinks
      #11: state/state.go:45:9: state.NewState calls sync.Once.Do, which eventually calls filepath.Glob
      #12: state/state.go:45:9: state.NewState calls sync.Once.Do, which eventually calls filepath.Glob
      #13: test/scripts/cmd/dependencies/github.go:200:22: dependencies.AdapterFs.Join calls filepath.Join
      #14: test/scripts/cmd/dependencies/github.go:200:22: dependencies.AdapterFs.Join calls filepath.Join
      #15: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filepath.Rel
      #16: test/scripts/cmd/dependencies/github.go:56:20: dependencies.githubManager.cloneTargetRepo calls git.Clone, which eventually calls filepath.Rel
      #17: config/config.go:146:38: config.Load calls filepath.Split
      #18: config/config.go:146:38: config.Load calls filepath.Split
      #19: test/scripts/cmd/compilesc/manager.go:225:14: compilesc.Manager.Abigen calls exec.Cmd.Run, which eventually calls filepath.VolumeName
      #20: test/scripts/cmd/compilesc/manager.go:225:14: compilesc.Manager.Abigen calls exec.Cmd.Run, which eventually calls filepath.VolumeName
      #21: cmd/jsonschema.go:15:53: cmd.genJSONSchema calls jsonschema.Reflector.AddGoComments, which eventually calls filepath.Walk
      #22: cmd/jsonschema.go:15:53: cmd.genJSONSchema calls jsonschema.Reflector.AddGoComments, which eventually calls filepath.Walk
      #23: test/scripts/cmd/compilesc/manager.go:133:26: compilesc.parallelActions calls filepath.WalkDir
      #24: test/scripts/cmd/compilesc/manager.go:133:26: compilesc.parallelActions calls filepath.WalkDir

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no
call stacks leading to the use of this vulnerability. There are also 2
vulnerabilities in modules that you require that are neither imported
nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2024-2453
    Timing side channel in github.com/cloudflare/circl
  More info: https://pkg.go.dev/vuln/GO-2024-2453
  Module: github.com/cloudflare/circl
    Found in: github.com/cloudflare/circl@v1.3.3
    Fixed in: github.com/cloudflare/circl@v1.3.7

Vulnerability #2: GO-2023-2101
    Incorrect exponentiation results in github.com/consensys/gnark-crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2101
  Module: github.com/consensys/gnark-crypto
    Found in: github.com/consensys/gnark-crypto@v0.10.0
    Fixed in: github.com/consensys/gnark-crypto@v0.12.1

Vulnerability #3: GO-2023-2096
    Signature malleability in github.com/consensys/gnark-crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2096
  Module: github.com/consensys/gnark-crypto
    Found in: github.com/consensys/gnark-crypto@v0.10.0
    Fixed in: github.com/consensys/gnark-crypto@v0.12.0

Your code is affected by 5 vulnerabilities from 2 modules and the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions