CVEs found in Grafana/Oncall:v1.5.1

[justinhauer]

What went wrong?

What happened:

• Ran Aquasec trivy on your latest container and found several vulnerabilities with python libraries found within the container. Some of the library versions seem very old and should be updated:

Scan Results:

Target image.tar (alpine 3.18.3)

No Vulnerabilities found

No Misconfigurations found

Target Python

Vulnerabilities (15)

Package	ID	Severity	Installed Version	Fixed Version
PyMySQL	CVE-2024-36039	CRITICAL	1.1.0	1.1.1
cryptography	CVE-2023-0286	HIGH	38.0.4	39.0.1
cryptography	CVE-2023-50782	HIGH	38.0.4	42.0.0
cryptography	CVE-2024-26130	HIGH	38.0.4	42.0.4
cryptography	CVE-2023-23931	MEDIUM	38.0.4	39.0.1
cryptography	CVE-2023-49083	MEDIUM	38.0.4	41.0.6
cryptography	CVE-2024-0727	MEDIUM	38.0.4	42.0.2
cryptography	GHSA-5cpq-8wj7-hf2v	LOW	38.0.4	41.0.0
cryptography	GHSA-jm77-qphf-c4w8	LOW	38.0.4	41.0.3
cryptography	GHSA-v8gr-m533-ghj9	LOW	38.0.4	41.0.4
idna	CVE-2024-3651	MEDIUM	3.6	3.7
pip	CVE-2023-5752	MEDIUM	23.1.2	23.3
sqlparse	CVE-2024-4340	HIGH	0.4.4	0.5.0
uWSGI	CVE-2023-27522	HIGH	2.0.21	2.0.22
uWSGI	CVE-2023-27522	HIGH	2.0.21	2.0.22

No Misconfigurations found

What did you expect to happen:

• The maintainers of the project keep their python dependency files up today with every release to ensure consumers of OSS product aren't taking in CVEs with new releases.

How do we reproduce it?

1. Open Grafana OnCall and do X
2. Now click button Y
3. Wait for the browser to crash. Error message says: "Error..."

Grafana OnCall Version

v1.5.1

Product Area

Other

Grafana OnCall Platform?

Other

User's Browser?

No response

Anything else to add?

Please consider security being top of mind. Please run pip upgrade on dependencies so vulnerable libraries are remediated in your next release.

[justinhauer]

Tested on image 1.5.3 and CVEs are still present. What action needs to be taken for someone to upgrade the pip packages for this?

[justinhauer]

Hey @joeyorlando what would it take to have the maintainers update dependencies in your next release? Looks like all these CVEs are present in your newer versions since I initially posted this issue.

[joeyorlando]

hey @justinhauer thanks for bringing this to the team's attention! we'll take a look at this soon 🙂

[justinhauer]

Thank you @joeyorlando, and the other onCall contributors for all the excellent work you do! You are appreciated 🙂

[joeyorlando]

@justinhauer do you mind running the scan you ran against the latest version (v1.6.2 as of this writing). Some of these should be fixed:

• Bump pymysql from 1.1.0 to 1.1.1 in /engine #4372

Additionally, #4495 should address the uwsgi and cryptography CVEs, as well as the pip one (it looks like Python 3.12.3 bumps pip to 24.0)

I'll go ahead and mark this issue as closed once #4495 is merged, but feel free to open a new issue if they're several HIGH/CRITICAL CVEs once the version containing that change is published

[justinhauer]

@joeyorlando I will scan again tomorrow, if more high or critical CVEs are found I'll put in a new issue since this one is closed. Thanks!

[justinhauer]

@joeyorlando there are still High CVEs unresolved in the 1.7.0 release:
CVE-2024-4340, for sqlparse library, the fixed library is 0.5.0 and you've got 0.4.4 in the release. https://avd.aquasec.com/nvd/cve-2024-4340

[joeyorlando]

@justinhauer this will be patched in #4516, thanks for pointing this out!