GHSA-hgwp-4vp4-qmm2 has no published or compatible non-vulnerable versions

[uhthomas]

google/osv.dev#1084

  proxy | time="2023-03-02T10:45:00Z" level=info msg="proxy starting" commit=a70cda06add871b91a3f6a8d40365a448de324f9
  proxy | 2023/03/02 10:45:00 Listening (:1080)
updater | 2023-03-02T10:45:00.207699789 [617562476:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-03-02T10:45:02Z" level=info msg="guest starting" commit=4ae6ef7ddf5013e186fd11c1e502a41a31d5d83c
updater | time="2023-03-02T10:45:02Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=617562476 updater_timeout=45m0s updater_version=f75ae402e788a59667156890f3c8742b220421e2-gomod
updater | I, [2023-03-02T10:45:04.140706 #8]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_617562476> Starting job processing
  proxy | 2023/03/02 10:45:05 [002] GET https://github.com:443/uhthomas/renovate20706/info/refs?service=git-upload-pack
  proxy | 2023/03/02 10:45:05 [002] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 10:45:05 [002] 200 https://github.com:443/uhthomas/renovate20706/info/refs?service=git-upload-pack
  proxy | 2023/03/02 10:45:05 [004] POST https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 10:45:05 [004] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 10:45:05 [004] 200 https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 10:45:05 [006] POST https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 10:45:05 [006] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 10:45:05 [006] 200 https://github.com:443/uhthomas/renovate20706/git-upload-pack
updater | INFO <job_617562476> Finished job processing
updater | time="2023-03-02T10:45:06Z" level=info msg="task complete" container_id=job-617562476-file-fetcher exit_code=0 job_id=617562476 step=fetcher
updater | I, [2023-03-02T10:45:07.634492 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_617562476> Starting job processing
updater | INFO <job_617562476> Starting update job for uhthomas/renovate20706
  proxy | 2023/03/02 10:45:08 [008] GET https://google.golang.org:443/genproto?go-get=1
  proxy | 2023/03/02 10:45:08 [008] 200 https://google.golang.org:443/genproto?go-get=1
updater | INFO <job_617562476> Checking if github.com/cloudflare/cloudflared 0.0.0-20230302083451-354281fc6a29 needs updating
  proxy | 2023/03/02 10:45:10 [012] GET https://proxy.golang.org:443/github.com/cloudflare/cloudflared/@v/list
  proxy | 2023/03/02 10:45:10 [012] 200 https://proxy.golang.org:443/github.com/cloudflare/cloudflared/@v/list
updater | INFO <job_617562476> Latest version is 0.0.0-20230302083451-354281fc6a29
updater | INFO <job_617562476> Dependabot can't find a published or compatible non-vulnerable version for github.com/cloudflare/cloudflared. The latest available version is 0.0.0-20230302083451-354281fc6a29
updater | INFO <job_617562476> Finished job processing
updater | INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | time="2023-03-02T10:45:11Z" level=info msg="task complete" container_id=job-617562476-updater exit_code=0 job_id=617562476 step=updater

[rarkins]

As this refers to the Go ecosystem, it shoudl be something like fixed: v0.0.0-20200820-9323844. Any releases sorting after that should be non-vulnerable.

I believe this was the tag it was fixed in: cloudflare/cloudflared@9323844

[shelbyc]

@uhthomas I just tried putting the pseudoversion in the advisory. What does the alert page look like now?

[uhthomas]

Cool! The Dependabot warning is gone and Renovate has closed the incorrect security fix PR.

uhthomas/renovate20706#4, replaced instead with a normal dependency update PR uhthomas/renovate20706#5.

[uhthomas]

As a sanity check, I downgraded the dependency to a known vulnerable version and the security warning came back as expected.

[uhthomas]

Though, Dependabot still isn't happy about something it seems.

  proxy | time="2023-03-02T22:07:44Z" level=info msg="proxy starting" commit=a70cda06add871b91a3f6a8d40365a448de324f9
  proxy | 2023/03/02 22:07:44 Listening (:1080)
updater | 2023-03-02T22:07:44.826920763 [617990696:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-03-02T22:07:48Z" level=info msg="guest starting" commit=4ae6ef7ddf5013e186fd11c1e502a41a31d5d83c
updater | time="2023-03-02T22:07:48Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=617990696 updater_timeout=45m0s updater_version=b9aea0dd92aaa11a4c73d95a57d26990b0fc5bd4-gomod
updater | I, [2023-03-02T22:07:51.574673 #6]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_617990696> Starting job processing
  proxy | 2023/03/02 22:07:53 [002] GET https://github.com:443/uhthomas/renovate20706/info/refs?service=git-upload-pack
  proxy | 2023/03/02 22:07:53 [002] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 22:07:53 [002] 200 https://github.com:443/uhthomas/renovate20706/info/refs?service=git-upload-pack
  proxy | 2023/03/02 22:07:53 [004] POST https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 22:07:53 [004] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 22:07:53 [004] 200 https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 22:07:53 [006] POST https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 22:07:53 [006] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 22:07:53 [006] 200 https://github.com:443/uhthomas/renovate20706/git-upload-pack
updater | INFO <job_617990696> Finished job processing
updater | time="2023-03-02T22:07:54Z" level=info msg="task complete" container_id=job-617990696-file-fetcher exit_code=0 job_id=617990696 step=fetcher
updater | I, [2023-03-02T22:07:55.969757 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_617990696> Starting job processing
updater | INFO <job_617990696> Starting update job for uhthomas/renovate20706
  proxy | 2023/03/02 22:07:56 [010] GET https://google.golang.org:443/genproto?go-get=1
  proxy | 2023/03/02 22:07:57 [010] 200 https://google.golang.org:443/genproto?go-get=1
updater | INFO <job_617990696> Checking if github.com/cloudflare/cloudflared 0.0.0-20200630175554-dbe351620448 needs updating
  proxy | 2023/03/02 22:07:57 [014] GET https://proxy.golang.org:443/github.com/cloudflare/cloudflared/@v/list
  proxy | 2023/03/02 22:07:57 [014] 200 https://proxy.golang.org:443/github.com/cloudflare/cloudflared/@v/list
updater | INFO <job_617990696> Latest version is 0.0.0-20200630175554-dbe351620448
updater | INFO <job_617990696> Dependabot can't find a published or compatible non-vulnerable version for github.com/cloudflare/cloudflared. The latest available version is 0.0.0-20200630175554-dbe351620448
updater | INFO <job_617990696> Finished job processing
updater | INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------------------------------------------------------+
updater | |                 Dependencies failed to update                 |
updater | +-----------------------------------+---------------------------+
updater | | github.com/cloudflare/cloudflared | security_update_not_found |
updater | +-----------------------------------+---------------------------+
updater | time="2023-03-02T22:07:58Z" level=info msg="task complete" container_id=job-617990696-updater exit_code=0 job_id=617990696 step=updater

It seems like some strange behaviour with how Dependabot finds dependency versions as Renovate seems able to manage.

[mctofu]

For go modules, Dependabot only supports updates using semver versions that are compatible with go modules. This is how we'd find the available versions:

% go list -m -versions github.com/cloudflare/cloudflared
github.com/cloudflare/cloudflared

% go list -m -versions github.com/coredns/coredns       
github.com/coredns/coredns v0.9.9 v0.9.10 v1.0.0 v1.0.1 v1.0.2 v1.0.3 v1.0.4 v1.0.5 v1.0.6 v1.1.0 v1.1.1 v1.1.2 v1.1.3 v1.1.4 v1.2.0 v1.2.1 v1.2.2 v1.2.3 v1.2.4 v1.2.5 v1.2.6 v1.3.0 v1.3.1 v1.4.0 v1.5.0 v1.5.1 v1.5.2 v1.6.0 v1.6.1 v1.6.2 v1.6.3 v1.6.4 v1.6.5 v1.6.6 v1.6.7 v1.6.8 v1.6.9 v1.7.0 v1.7.1 v1.8.0 v1.8.1 v1.8.2 v1.8.3 v1.8.4 v1.8.5 v1.8.6 v1.8.7 v1.9.0 v1.9.1 v1.9.2 v1.9.3 v1.9.4 v1.10.0 v1.10.1

cloudflared returns no results. While cloudflared is tagging their repo with semver-ish versions like 2020.8.1 these aren't compatible with go modules because it doesn't follow the major version rules.

It could be possible to allow Dependabot to try updating a later commit instead but may not be worth the effort to support non-conforming modules. I'm not sure this module is intended to be used as a dependency based on their versioning scheme.

[uhthomas]

FWIW it is intended to be used as a dependency. We do so for some projects internally. I think we agree the versioning scheme is weird and I believe the authors are interested in using a more compliant semver scheme at some point.

[mctofu]

Just following up from the dependabot-updates end. We don't intend to support the non-conforming versioning scheme used by github.com/cloudflare/cloudflared so this is expected behavior for update attempts. If the library switches to a scheme that returns results from the go list -m -versions command then updates will work.

[uhthomas]

Just following up from the dependabot-updates end. We don't intend to support the non-conforming versioning scheme used by github.com/cloudflare/cloudflared so this is expected behavior for update attempts. If the library switches to a scheme that returns results from the go list -m -versions command then updates will work.

Pseudo versions like we provided to fix the issue should continue to work though, right?

[mctofu]

Pseudo versions like we provided to fix the issue should continue to work though, right?

Yup, they'll work for Dependabot alerting & it's the correct way to list them in the advisory as that's how the versions are captured in the go.mod (ignoring the invalid version and capturing the commit info instead). We just won't be able to create fix PRs which is a problem with github.com/cloudflare/cloudflared and not the advisory. We can create a PR that gets you from a vulnerable psuedo version to a fixed non-psudeo version but we won't update from psuedo version to another psuedo version as the go list -m versions command doesn't return psuedo versions.