Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go vulncheck fails on v0.34.x-celestia branch #1210

Open
rootulp opened this issue Feb 2, 2024 · 0 comments
Open

go vulncheck fails on v0.34.x-celestia branch #1210

rootulp opened this issue Feb 2, 2024 · 0 comments

Comments

@rootulp
Copy link
Collaborator

rootulp commented Feb 2, 2024

Problem

$ make vulncheck
Scanning your code and 587 packages across 96 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2024-2466
    Denial of service in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2466
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/[email protected]
    Fixed in: github.com/go-git/go-git/[email protected]
    Example traces found:
      #1: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions, which calls filesystem.NewStorage
      #2: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions
      #3: test/e2e/generator/generate.go:407:30: generator.gitRepoLatestReleaseVersion calls git.Repository.TagObjects

Vulnerability #2: GO-2024-2456
    Path traversal and RCE in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2456
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/[email protected]
    Fixed in: github.com/go-git/go-git/[email protected]
    Example traces found:
      #1: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions, which calls filesystem.NewStorage
      #2: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions
      #3: test/e2e/generator/generate.go:407:30: generator.gitRepoLatestReleaseVersion calls git.Repository.TagObjects

Vulnerability #3: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: libs/os/os.go:110:18: os.CopyFile calls io.Copy, which eventually calls ssh.extChannel.Read

=== Informational ===

There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2024-2453
    Timing side channel in github.com/cloudflare/circl
  More info: https://pkg.go.dev/vuln/GO-2024-2453
  Module: github.com/cloudflare/circl
    Found in: github.com/cloudflare/[email protected]
    Fixed in: github.com/cloudflare/[email protected]

Vulnerability #2: GO-2023-1765
    Leaked shared secret and weak blinding in github.com/cloudflare/circl
  More info: https://pkg.go.dev/vuln/GO-2023-1765
  Module: github.com/cloudflare/circl
    Found in: github.com/cloudflare/[email protected]
    Fixed in: github.com/cloudflare/[email protected]

Your code is affected by 3 vulnerabilities from 2 modules.

Share feedback at https://go.dev/s/govulncheck-feedback.
exit status 3
make: *** [vulncheck] Error 1

Proposal

Upgrade deps to resolve go vulncheck identified issues

@rootulp rootulp changed the title go vulncheck fails on v0.34.x branch go vulncheck fails on v0.34.x-celestia branch Feb 2, 2024
rootulp pushed a commit to rootulp/celestia-core that referenced this issue Sep 20, 2024
* CV OnStop close evidenceStore

* CV OnStop print db close

* CV add changelog

* CV update changelog with attribution

(cherry picked from commit 48335a0)

Co-authored-by: Chill Validation <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant