Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add labels for an image containing chronicle v0.4.2 #29

Open
westonsteimel opened this issue Jan 20, 2023 · 1 comment
Open

Add labels for an image containing chronicle v0.4.2 #29

westonsteimel opened this issue Jan 20, 2023 · 1 comment

Comments

@westonsteimel
Copy link
Contributor

This will illustrate some nice false positives in go based on the vulnerable functions not being called. We use govulncheck to get the following:

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0968
  Unauthenticated clients can cause a panic in SSH servers. When
  using AES-GCM or ChaCha20Poly1305, consuming a malformed packet
  which contains an empty plaintext causes a panic.
  Found in: golang.org/x/crypto/[email protected]
  Fixed in: golang.org/x/crypto/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0968

Vulnerability #2: GO-2022-0493
  When called with a non-zero flags parameter, the Faccessat
  function can incorrectly report that a file is accessible.
  Found in: golang.org/x/sys/[email protected]
  Fixed in: golang.org/x/sys/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0493

Vulnerability #3: GO-2021-0356
  Attackers can cause a crash in SSH servers when the server has
  been configured by passing a Signer to ServerConfig.AddHostKey
  such that 1) the Signer passed to AddHostKey does not implement
  AlgorithmSigner, and 2) the Signer passed to AddHostKey returns
  a key of type “ssh-rsa” from its PublicKey method. Servers
  that only use Signer implementations provided by the ssh package
  are unaffected.
  Found in: golang.org/x/crypto/[email protected]
  Fixed in: golang.org/x/crypto/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2021-0356

So from that all of the following should be added as FP's:

And the standard protobuf ones:

google.golang.org/protobuf  v1.26.0              go-module  CVE-2015-5237   High
google.golang.org/protobuf  v1.26.0              go-module  CVE-2021-22570  Medium
@wagoodman wagoodman added the enhancement New feature or request label Jun 27, 2023
@wagoodman wagoodman added enhancement New feature or request and removed enhancement New feature or request labels Jun 27, 2023
@wagoodman
Copy link
Contributor

sorry for the noise, I was testing some automation around adding issues automatically to the OSS project board

@wagoodman wagoodman removed the enhancement New feature or request label Jun 27, 2023
@wagoodman wagoodman removed this from OSS Jul 27, 2023
@wagoodman wagoodman added this to OSS Feb 7, 2024
@wagoodman wagoodman moved this to Ready in OSS Feb 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
OSS
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wagoodman @westonsteimel