Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: bump transitive dependencies #527

Merged

Conversation

mdelapenya
Copy link
Member

@mdelapenya mdelapenya commented Sep 16, 2022

What does this PR do?

It bumps the following deps to their latest released versions:

  • aws/aws-sdk-go
  • miekg/dns
  • hashicorp/consul/api
  • hashicorp/consul/sdk
  • k8s.io/kubernetes

We have run the following command to detect the vulnerabilities:

go list -json -m all | docker run --rm -i sonatypecommunity/nancy:v1.0.39 sleuth --skip-update-check

It has resolved 2 out of 5 security issues, but not sure how to resolve those 3 packages, as getting the :

pkg:golang/github.com/hashicorp/consul/[email protected]
1 known vulnerabilities affecting installed version 

pkg:golang/github.com/hashicorp/consul/[email protected]
1 known vulnerabilities affecting installed version 

pkg:golang/k8s.io/[email protected]
29 known vulnerabilities affecting installed version

3 Vulnerable Packages

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                       ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
┃ Audited Dependencies    ┃ 416 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
┃ Vulnerable Dependencies ┃ 3   ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛

Finally, it's adding a Make goal to scan the dependencies with the above command: make dependencies-scan, which is available to any module via the commons-test.mk file.

Why is it important?

This PR resolves 2 security issues, but there are still 3.

I've observed myself everything what @mwittig commented in #326 (comment), so I'd say that we are stuck on containerd's vulnerabilities.

Related issues

Follow-ups

As a follow-up, and once we are green in terms of dependencies, we could run it in the GH action and force a successful check in order to merge a PR.

@mdelapenya mdelapenya added dependencies Dependencies or external services security Vulnerabilities in dependencies or in the library itself labels Sep 16, 2022
@mdelapenya mdelapenya self-assigned this Sep 16, 2022
@codecov
Copy link

codecov bot commented Sep 16, 2022

Codecov Report

Merging #527 (36d81ce) into main (7d0afb7) will decrease coverage by 0.03%.
The diff coverage is 28.57%.

❗ Current head 36d81ce differs from pull request most recent head b94b442. Consider uploading reports for the commit b94b442 to get more accurate results

@@            Coverage Diff             @@
##             main     #527      +/-   ##
==========================================
- Coverage   68.88%   68.85%   -0.04%     
==========================================
  Files          22       22              
  Lines        2144     2148       +4     
==========================================
+ Hits         1477     1479       +2     
- Misses        528      530       +2     
  Partials      139      139              
Impacted Files Coverage Δ
wait/sql.go 23.07% <16.66%> (-1.93%) ⬇️
compose.go 74.04% <100.00%> (ø)
docker.go 71.03% <0.00%> (+0.20%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@kishaningithub
Copy link

I feel this PR can be converted from draft to an actual PR

e2e/go.mod Outdated Show resolved Hide resolved
* main:
  Add system requirements parent docs page for podman and colima (#562)
  Support for cap-add/cap-drop (#555)
  fix container NetworkMode usage (#560)
  chore: use hashed versions of test-summary action (#556)
  chore: use container.State() function in tests (#543)
  Log docker server info (#548)
  docs: add docs regarding Colima usage (#547)
  chore: add emoji to breaking changes in release drafter (#542)
  chore: add CONTRIBUTING file (#539)
  issue #537 Rename the wait/multi.go file to wait/all.go (#541)
  docs: add a basic layout for wait strategies in docs (#536)
  docs: improve consistency and fix typos (#534)
  chore: do not skip test (#528)
  chore: include test flakiness in the release drafter (#535)
  chore: retire old versions of Go (#530)
* main: (79 commits)
  chore: reduce concurrent builds (testcontainers#702)
  chore: add mysql example (testcontainers#700)
  chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 (testcontainers#699)
  chore(deps): bump google.golang.org/api in /examples/firestore (testcontainers#683)
  chore(deps): bump cloud.google.com/go/spanner in /examples/spanner (testcontainers#688)
  chore(deps): bump google.golang.org/api in /examples/pubsub (testcontainers#685)
  chore(deps): bump google.golang.org/api in /examples/spanner (testcontainers#684)
  chore(deps): bump google.golang.org/grpc in /examples/firestore (testcontainers#686)
  chore(deps): bump google.golang.org/api in /examples/bigtable (testcontainers#680)
  chore(deps): bump google.golang.org/api in /examples/datastore (testcontainers#678)
  chore(deps): bump golang.org/x/text from 0.3.7 to 0.5.0 (testcontainers#660)
  chore(deps): bump github.com/magiconair/properties from 1.8.6 to 1.8.7 (testcontainers#677)
  chore: postgres example (testcontainers#674)
  Add bigtable example (testcontainers#676)
  chore(deps): bump github.com/containerd/containerd from 1.6.10 to 1.6.12 (testcontainers#675)
  chore: run go mod tidy in examples (testcontainers#672)
  Improve datastore, firestore, pubsub and spanner tests (testcontainers#670)
  chore: group dependabot updates (testcontainers#668)
  chore: update mkdocs format to go-yaml v3 (testcontainers#667)
  chore: generate dependabot configs for examples (testcontainers#654)
  ...
@mdelapenya
Copy link
Member Author

mdelapenya commented Dec 21, 2022

I resolved conflicts and got this report:

go list -json -m all | docker run --rm -i sonatypecommunity/nancy sleuth --skip-update-check        
Unable to find image 'sonatypecommunity/nancy:latest' locally
latest: Pulling from sonatypecommunity/nancy
070ddc16dc55: Pull complete 
c34c37bc9ec5: Pull complete 
7222bb5c5949: Pull complete 
Digest: sha256:35a17ac931605ea6311a3735f5b939952423f39dda2c828c0d72938851554749
Status: Downloaded newer image for sonatypecommunity/nancy:latest
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
pkg:golang/github.com/jinzhu/[email protected]
1 known vulnerabilities affecting installed version 
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2019-15562] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')                                                                                                     ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ ** DISPUTED ** GORM before 1.9.10 allows SQL injection via incomplete                                                                                                                        ┃
┃                    ┃ parentheses. NOTE: Misusing Gorm by passing untrusted user input where Gorm                                                                                                                  ┃
┃                    ┃ expects trusted SQL fragments is a vulnerability in the application, not in                                                                                                                  ┃
┃                    ┃ Gorm.                                                                                                                                                                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ CVE-2019-15562                                                                                                                                                                               ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 9.8/10 (Critical)                                                                                                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                                                                                                                                 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2019-15562?component-type=golang&component-name=github.com%2Fjinzhu%2Fgorm&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.42 ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
pkg:golang/k8s.io/[email protected]
1 known vulnerabilities affecting installed version 
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ 1 vulnerability found                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ 1 non-CVE vulnerability found. To see more details, please create a free    ┃
┃                    ┃ account at https://ossindex.sonatype.org/ and request for this information  ┃
┃                    ┃ using your registered account                                               ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ sonatype-2022-6522                                                          ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 6.5/10 (Medium)                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/sonatype-2022-6522              ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

2 Vulnerable Packages

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                       ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
┃ Audited Dependencies    ┃ 394 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
┃ Vulnerable Dependencies ┃ 2   ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛

I believe the gorm dependency issue will disappear with #650, as it's pushed back to the compose module.

OTOH, I ran go mod why for both:

➜ testcontainers-go (bump-transitive-deps-security-concerns) ✗ go mod why github.com/jinzhu/gorm 
go: downloading github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73
go: downloading github.com/lib/pq v1.1.1
# github.com/jinzhu/gorm
github.com/testcontainers/testcontainers-go
github.com/docker/cli/cli/command
github.com/theupdateframework/notary/client
github.com/theupdateframework/notary/client.test
github.com/theupdateframework/notary/server/storage
github.com/jinzhu/gorm
➜ testcontainers-go (bump-transitive-deps-security-concerns) ✗ go mod why k8s.io/apiserver
# k8s.io/apiserver
(main module does not need package k8s.io/apiserver)

which confirms that the gorm dependency was introduced by compose native support. Regarding apiserver, it is not required by the main module, and not sure how it gets into the dependencies, as it's not present at any file, including go.sum.

@kishaningithub because the number of issues has being removed from 23 (as shown in the original #326 issue) to 2 (1 after #650), I'd merge this PR as is, considering done. Wdyt?

@mdelapenya mdelapenya marked this pull request as ready for review December 21, 2022 07:26
@mdelapenya mdelapenya requested a review from a team as a code owner December 21, 2022 07:26
@kishaningithub
Copy link

@mdelapenya Beautiful to see the vulnerabilities go from 23 to 2. Yes IMO this can be merged :-)

@mdelapenya mdelapenya merged commit 574e1ae into testcontainers:main Dec 21, 2022
mdelapenya referenced this pull request in mdelapenya/testcontainers-go Dec 21, 2022
* main:
  chore: bump transitive dependencies (#527)
@mdelapenya mdelapenya deleted the bump-transitive-deps-security-concerns branch December 25, 2022 22:53
mdelapenya referenced this pull request in mdelapenya/testcontainers-go Jan 4, 2023
* main: (44 commits)
  feat: support passing registry credentials to the reaper (testcontainers#647)
  fix: close response body in http strategy (testcontainers#718)
  chore: move e2e module to postgres example module (testcontainers#717)
  chore: bump containerd transitive dep in examples (testcontainers#715)
  chore(deps): bump github.com/containerd/containerd from 1.6.12 to 1.6.14 (testcontainers#703)
  chore(deps): bump github.com/compose-spec/compose-go in /modules/compose (testcontainers#710)
  chore: bump testcontainers-go to 0.17.0 in examples (testcontainers#714)
  chore(deps): bump github.com/docker/compose/v2 in /modules/compose (testcontainers#711)
  chore: support running MySQL compose in ARM (testcontainers#712)
  chore: simplify compose replace directives (testcontainers#713)
  chore: add compose module to dependabot (testcontainers#709)
  chore: move compose code to a separate module (testcontainers#650)
  docs: refine onboarding process with quickstart guide (testcontainers#706)
  chore: move redis-specific tests to the example module (testcontainers#701)
  chore: bump transitive dependencies (#527)
  chore: reduce concurrent builds (testcontainers#702)
  chore: add mysql example (testcontainers#700)
  chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 (testcontainers#699)
  chore(deps): bump google.golang.org/api in /examples/firestore (testcontainers#683)
  chore(deps): bump cloud.google.com/go/spanner in /examples/spanner (testcontainers#688)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Dependencies or external services security Vulnerabilities in dependencies or in the library itself
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants