go vulncheck fails on v0.34.x-celestia branch #1210

rootulp · 2024-02-02T22:40:26Z

Problem

$ make vulncheck
Scanning your code and 587 packages across 96 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2024-2466
    Denial of service in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2466
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/v5@v5.6.1
    Fixed in: github.com/go-git/go-git/v5@v5.11.0
    Example traces found:
      #1: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions, which calls filesystem.NewStorage
      #2: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions
      #3: test/e2e/generator/generate.go:407:30: generator.gitRepoLatestReleaseVersion calls git.Repository.TagObjects

Vulnerability #2: GO-2024-2456
    Path traversal and RCE in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2456
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/v5@v5.6.1
    Fixed in: github.com/go-git/go-git/v5@v5.11.0
    Example traces found:
      #1: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions, which calls filesystem.NewStorage
      #2: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions
      #3: test/e2e/generator/generate.go:407:30: generator.gitRepoLatestReleaseVersion calls git.Repository.TagObjects

Vulnerability #3: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.14.0
    Fixed in: golang.org/x/crypto@v0.17.0
    Example traces found:
      #1: libs/os/os.go:110:18: os.CopyFile calls io.Copy, which eventually calls ssh.extChannel.Read

=== Informational ===

There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2024-2453
    Timing side channel in github.com/cloudflare/circl
  More info: https://pkg.go.dev/vuln/GO-2024-2453
  Module: github.com/cloudflare/circl
    Found in: github.com/cloudflare/circl@v1.3.1
    Fixed in: github.com/cloudflare/circl@v1.3.7

Vulnerability #2: GO-2023-1765
    Leaked shared secret and weak blinding in github.com/cloudflare/circl
  More info: https://pkg.go.dev/vuln/GO-2023-1765
  Module: github.com/cloudflare/circl
    Found in: github.com/cloudflare/circl@v1.3.1
    Fixed in: github.com/cloudflare/circl@v1.3.3

Your code is affected by 3 vulnerabilities from 2 modules.

Share feedback at https://go.dev/s/govulncheck-feedback.
exit status 3
make: *** [vulncheck] Error 1

Proposal

Upgrade deps to resolve go vulncheck identified issues

The text was updated successfully, but these errors were encountered:

* CV OnStop close evidenceStore * CV OnStop print db close * CV add changelog * CV update changelog with attribution (cherry picked from commit 48335a0) Co-authored-by: Chill Validation <92176880+chillyvee@users.noreply.github.com>

rootulp changed the title ~~go vulncheck fails on v0.34.x branch~~ go vulncheck fails on v0.34.x-celestia branch Feb 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

go vulncheck fails on v0.34.x-celestia branch #1210

go vulncheck fails on v0.34.x-celestia branch #1210

rootulp commented Feb 2, 2024

go vulncheck fails on v0.34.x-celestia branch #1210

go vulncheck fails on v0.34.x-celestia branch #1210

Comments

rootulp commented Feb 2, 2024

Problem

Proposal