Skip to content
This repository has been archived by the owner on Jul 2, 2024. It is now read-only.

CVE justifications for 5.2.6 #8427

Merged
merged 11 commits into from
Jan 10, 2024
Merged

CVE justifications for 5.2.6 #8427

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
3b6e3d7
CVE justifications for 5.2.6
mohammadualam Jan 10, 2024
da6f4bc
squash! Prettier
mohammadualam Jan 10, 2024
9e061ee
Update index.md
mohammadualam Jan 10, 2024
6225bd0
Update 5-2-6.md
mohammadualam Jan 10, 2024
4108a95
squash! Prettier
mohammadualam Jan 10, 2024
4319dfb
Update 5-2-6.md
mohammadualam Jan 10, 2024
227459e
squash! Prettier
mohammadualam Jan 10, 2024
2eef0fc
Update 5-2-6.md
mohammadualam Jan 10, 2024
3d43c88
squash! Prettier
mohammadualam Jan 10, 2024
d06ac35
Update 5-2-6.md
mohammadualam Jan 10, 2024
75c7651
squash! Prettier
mohammadualam Jan 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions content/departments/security/tooling/trivy/5-2-6.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Accepted CVEs for Sourcegraph 5.2.4

| CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details |
| ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor, sourcegraph/dind, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. |
| [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. |
| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | caddy | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |
| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |
| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |

## Known False Positives

Some scanners incorrectly identify false positives in our images:

| Vulnerability ID | Affected Images | Note |
| -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
| [SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602](https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602) | sourcegraph/cadvisor | This potential security issue only affects `filepath-securejoin` when used on Windows - all Sourcegraph deployments use Linux |
1 change: 1 addition & 0 deletions content/departments/security/tooling/trivy/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ or that we have accepted as low risk. You can find more details about these belo

### 5.2

- [5.2.6](./5-2-6.md)
- [5.2.5](./5-2-5.md)
- [5.2.4](./5-2-4.md)
- [5.2.3](./5-2-3.md)
Expand Down
Loading