govulncheck finds several dependencies with known vulnerabilities

[elchenberg]

Describe the bug

I used govulncheck to scan this repository for vulnerabilities:

Your code is affected by 17 vulnerabilities from 6 modules.

Affected modules:

• github.com/containerd/containerd
• github.com/moby/moby
• github.com/opencontainers/runc
• golang.org/x/crypto
• golang.org/x/net
• gopkg.in/src-d/go-git.v4

Vulnerabilities:

• severity critical: GO-2024-2456 / CVE-2023-49569
• severity high: GO-2022-0278 / CVE-2021-43816
• severity high: GO-2022-0344 / CVE-2022-23648
• severity high: GO-2023-1571 / CVE-2022-41723
• severity high: GO-2023-1627 / CVE-2023-27561
• severity high: GO-2024-2466 / CVE-2023-49568
• severity moderate: GO-2022-0390 / CVE-2022-24769
• severity moderate: GO-2022-0452 / CVE-2022-29162
• severity moderate: GO-2022-0482 / CVE-2022-31030
• severity moderate: GO-2022-1147 / CVE-2022-23471
• severity moderate: GO-2023-1683 / CVE-2023-28642
• severity moderate: GO-2023-2402 / CVE-2023-48795
• severity moderate: GO-2024-2687 / CVE-2023-45288
• severity moderate: GO-2024-2914 / CVE-2021-41190
• severity low: GO-2022-0360
• severity low: GO-2023-1682 / CVE-2023-25809
• severity low: GO-2024-3110 / CVE-2024-45310

Additional context

My Go version is 1.23.1. This is the command that I used for the scan:

go install golang.org/x/vuln/cmd/govulncheck@latest; govulncheck ./...

Logs

govulncheck output

=== Symbol Results ===

Vulnerability #1: GO-2024-3110
    runc can be confused to create empty files/directories on the host in
    github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2024-3110
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init

Vulnerability #2: GO-2024-2914
    Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in
    github.com/docker/docker
  More info: https://pkg.go.dev/vuln/GO-2024-2914
  Module: github.com/moby/moby
    Found in: github.com/moby/[email protected]+incompatible
    Fixed in: N/A
    Example traces found:
      #1: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls blkiodev.init
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls container.init
      #3: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls errdefs.init
      [...]

Vulnerability #3: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: pkg/kubernetes/clients.go:25:26: kubernetes.NewCoreV1Client calls core.NewForConfig, which eventually calls http2.ConfigureTransports
      #2: cmd/root.go:32:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error
      #3: main.go:17:28: seiso.main calls fmt.Sprintf, which eventually calls http2.ErrCode.String
      [...]

Vulnerability #4: GO-2024-2466
    Denial of service in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2466
  Module: gopkg.in/src-d/go-git.v4
    Found in: gopkg.in/src-d/[email protected]
    Fixed in: N/A
    Example traces found:
      #1: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadHash
      #2: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadUint32
      #3: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadVariableWidthInt
      [...]

Vulnerability #5: GO-2024-2456
    Path traversal and RCE in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2456
  Module: gopkg.in/src-d/go-git.v4
    Found in: gopkg.in/src-d/[email protected]
    Fixed in: N/A
    Example traces found:
      #1: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadHash
      #2: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadUint32
      #3: pkg/git/git.go:29:33: git.GetCommitHashes calls object.commitIteratorByCTime.Next, which eventually calls binary.ReadVariableWidthInt
      [...]

Vulnerability #6: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:38:33: namespace.HelmChecker.NonEmptyNamespaces calls action.List.Run, which eventually calls ssh.extChannel.Read

Vulnerability #7: GO-2023-1683
    runc AppArmor bypass with symlinked /proc in github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2023-1683
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init

Vulnerability #8: GO-2023-1682
    rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
    in github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2023-1682
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init

Vulnerability #9: GO-2023-1627
    Opencontainers runc Incorrect Authorization vulnerability in
    github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2023-1627
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init

Vulnerability #10: GO-2023-1571
    Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2023-1571
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls hpack.Decoder.Write
      #2: pkg/kubernetes/clients.go:25:26: kubernetes.NewCoreV1Client calls core.NewForConfig, which eventually calls http2.ConfigureTransports
      #3: cmd/root.go:32:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error
      [...]

Vulnerability #11: GO-2022-1147
    containerd CRI stream server vulnerable to host memory exhaustion via
    terminal in github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2022-1147
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
      #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
      #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
      [...]

Vulnerability #12: GO-2022-0482
    containerd CRI plugin: Host memory exhaustion through ExecSync in
    github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2022-0482
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
      #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
      #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
      [...]

Vulnerability #13: GO-2022-0452
    Default inheritable capabilities for linux container should be empty in
    github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2022-0452
  Module: github.com/opencontainers/runc
    Found in: github.com/opencontainers/[email protected]
    Fixed in: github.com/opencontainers/[email protected]
    Example traces found:
      #1: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls user.CurrentUser
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls user.init

Vulnerability #14: GO-2022-0390
    Moby (Docker Engine) started with non-empty inheritable Linux process
    capabilities in github.com/docker/docker
  More info: https://pkg.go.dev/vuln/GO-2022-0390
  Module: github.com/moby/moby
    Found in: github.com/moby/[email protected]+incompatible
    Fixed in: N/A
    Example traces found:
      #1: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls blkiodev.init
      #2: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls container.init
      #3: pkg/namespace/checker_helm.go:8:2: namespace.init calls action.init, which eventually calls errdefs.init
      [...]

Vulnerability #15: GO-2022-0360
    Ambiguous OCI manifest parsing in github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2022-0360
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
      #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
      #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
      [...]

Vulnerability #16: GO-2022-0344
    containerd CRI plugin: Insecure handling of image volumes in
    github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2022-0344
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
      #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
      #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
      [...]

Vulnerability #17: GO-2022-0278
    Unprivileged pod using `hostPath` can side-step active LSM when it is
    SELinux in github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2022-0278
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]
    Example traces found:
      #1: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchToken
      #2: pkg/kubernetes/util.go:36:74: kubernetes.kubernetesImpl.ResourceContains calls dynamic.dynamicResourceClient.List, which eventually calls auth.FetchTokenWithOAuth
      #3: pkg/namespace/checker_helm.go:30:31: namespace.HelmChecker.NonEmptyNamespaces calls action.Configuration.Init, which eventually calls auth.byScheme.Len
      [...]

Your code is affected by 17 vulnerabilities from 6 modules.
This scan also found 16 vulnerabilities in packages you import and 20
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

Expected behavior

Zero known vulnerabilities but more realistically: Zero known vulnerabilities of critical and high severity.

To Reproduce

Steps to reproduce the behavior:

cd $(mktemp -d)
git clone --depth 1 https://github.com/appuio/seiso.git .
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

[elchenberg]

By the way: I do not know if bug is the correct label. The other option was feature and this does not fit either. 😅