Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vuln: delay reporting vulnerabilities for N days #56157

Open
adamdecaf opened this issue Oct 11, 2022 · 13 comments
Open

x/vuln: delay reporting vulnerabilities for N days #56157

adamdecaf opened this issue Oct 11, 2022 · 13 comments
Assignees
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@adamdecaf
Copy link
Contributor

adamdecaf commented Oct 11, 2022

Once a new Go bugfix is released govulncheck will start to report issues from the standard library if security flaws were fixed in the latest bugfix. This causes a lot of failed builds across a fleet of CI jobs because the underlying machine may not have been upgraded yet. Failing builds for an issue that teams will address but haven't had time to solve yet causes frustration and pushes teams to silence warnings or rush through upgrades.

One option would be to delay reports for a time.Duration value. This would let teams upgrade dependencies and Go versions before seeing failures.

I'm proposing that the govulncheck command accepts a -stability-days N flag where N is a value parsable by time.ParseDuration. The check could read a vulnerabilities published field in the OSV format and use the machines local time for comparison.

Prior art: https://docs.renovatebot.com/configuration-options/#stabilitydays

@adamdecaf adamdecaf added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Oct 11, 2022
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Oct 11, 2022
@julieqiu julieqiu added the UX Issues that involve UXD/UXR input label Oct 12, 2022
@adamdecaf
Copy link
Contributor Author

I opened https://go-review.googlesource.com/c/vuln/+/442497 to see how this would look in the code. I'm open to a different name if the flag is accepted.

@joedian joedian added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 14, 2022
@zpavlinovic zpavlinovic self-assigned this Oct 17, 2022
@zpavlinovic
Copy link
Contributor

Thanks for reporting this, we are currently looking into this. One question, is this problem mostly tied to std vulnerabilities or do you expect similar issues with third party modules as well?

@adamdecaf
Copy link
Contributor Author

Initially we saw this with stdlib vulnerabilities, but it would be a similar request to delay when popular libraries are used. At my day job we have enough repositories and commonly used libraries that it can take a couple days to upgrade even if everyone has it as a high priority.

@zpavlinovic
Copy link
Contributor

zpavlinovic commented Oct 19, 2022

The solution for this issue falls under an umbrella of suppression mechanisms for govulncheck. We also thank for raising this issue and implementing a fix, but we believe that a more general suppression option is a better fit for this problem than adding a rather specific flag. We are actively exploring options in this space, but we don't have a timeline or decision yet.

One way to solve this problem is to analyze JSON output and then filter vulnerabilities. OSV entries have the necessary information for this. As a matter of fact, we are actively developing new JSON output that would simplify this.

@adamdecaf
Copy link
Contributor Author

Is this proposal still something which could be added to govulncheck? On minor releases of Go many CI systems run into immediate errors (detecting valid CVE's) but are unable to resolve them until meta-infra is updated. Right now a PR to actions/setup-go is blocking successful builds for many projects, but offering a delay would let the meta-infra be updated.

@gaby
Copy link

gaby commented Aug 3, 2023

We are currently being affected by this, all our CI pipelines are failing because govulncheck, golang releases, actions/go, actions/setup-go are not synched.

Rel: actions/setup-go#405

@marcosrmendezthd
Copy link

an option to consider is providing a way to limit the vulnerabilities to releases, not prereleases.

@ldemailly
Copy link

1.20.7 was released, it's just it takes a couple of days for image and action providers to update, meanwhile normal CI/PR/MR start failing with no recourse (than disabling govulncheck)

@zpavlinovic
Copy link
Contributor

We are currently being affected by this, all our CI pipelines are failing because govulncheck, golang releases, actions/go, actions/setup-go are not synched.

Rel: actions/setup-go#405

I am not sure what is the concrete issue in your case, but did you take a look at govulncheck-action? You can specify which Go version to use (with another option on the way).

@zpavlinovic
Copy link
Contributor

While a general suppression mechanism would be ideal, it seems that most of the issues described here would go away with suppression for Go vulnerabilities. Is that fair to say?

If so, could an acceptable solution be part of govulncheck-action?

@marcosrmendezthd
Copy link

we had the same issue, so we updated our pipelines to find the latest (acceptable) go release version and pass that to actions/setup-go.

@adamdecaf
Copy link
Contributor Author

We addressed the problem of recently released stdlib updates (from new Go releases) causing builds to fail by using setup-go with go-version: stable and installing govulncheck in each CI build. This ensures the project and govulncheck are on the same Go release (which can be the new or old based on cache) and avoids this error. stable checks for the latest Go release anyway.

@zpavlinovic
Copy link
Contributor

Thanks for the prompt answers.

If it means anything, govulncheck-action should also install govulncheck on each CI build and it can be passed the Go version of choice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Development

No branches or pull requests

8 participants