Skip to content

x/vuln: Failing in CircleCI (Linux) but not on macos #56855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ardan-bkennedy opened this issue Nov 20, 2022 · 4 comments
Closed

x/vuln: Failing in CircleCI (Linux) but not on macos #56855

ardan-bkennedy opened this issue Nov 20, 2022 · 4 comments
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@ardan-bkennedy
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.19.3 darwin/arm64

On CircleCI using image
wget -O go.tgz https://dl.google.com/go/go1.19.linux-amd64.tar.gz

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes

What operating system and processor architecture are you using (go env)?

On Circle CI I am using this image they have
ubuntu-2004:202010-01

On my machine this is the Go envirvonment

go env Output
$ go env
GO111MODULE=""
GOARCH="arm64"
GOBIN=""
GOCACHE="/Users/bill/Library/Caches/go-build"
GOENV="/Users/bill/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="arm64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/bill/code/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/bill/code/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_arm64"
GOVCS=""
GOVERSION="go1.19.3"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/bill/code/go/src/github.com/ardanlabs/graphql/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/k6/bpxy86ts4yz4796zp3pj6wq00000gn/T/go-build3694668550=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

For this project in GitHub
https://github.com/ardanlabs/ethereum

I ran the following command, both in Linux and on my local Mac machine.
govulncheck ./...

What did you expect to see?

On the mac no issues are reported. When I ran this on Linux in CircleCI I expected the same.

What did you see instead?

go: downloading golang.org/x/vuln v0.0.0-20221116204841-fac3670c993c
go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
go: downloading golang.org/x/tools v0.2.1-0.20221108172846-9474ca31d0df
go: downloading golang.org/x/mod v0.6.0
go: downloading golang.org/x/sys v0.1.0
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 4 known vulnerabilities.

Vulnerability #1: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      business/web/auth/auth.go:194:18: github.com/ardanlabs/service/business/web/auth.Auth.opaPolicyEvaluation calls github.com/open-policy-agent/opa/rego.Rego.PrepareForEval, which eventually calls os/exec.Cmd.Start
      foundation/docker/docker.go:49:50: github.com/ardanlabs/service/foundation/docker.StopContainer calls os/exec.Cmd.Run
      foundation/docker/docker.go:62:63: github.com/ardanlabs/service/foundation/docker.DumpContainerLogs calls os/exec.Cmd.CombinedOutput

  Found in: os/exec@go1.19
  Fixed in: os/exec@go1.19.3
  More info: https://pkg.go.dev/vuln/GO-2022-1095

Vulnerability #2: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      business/web/auth/auth.go:194:18: github.com/ardanlabs/service/business/web/auth.Auth.opaPolicyEvaluation calls github.com/open-policy-agent/opa/rego.Rego.PrepareForEval, which eventually calls syscall.StartProcess

  Found in: syscall@go1.19
  Fixed in: syscall@go1.19.3
  More info: https://pkg.go.dev/vuln/GO-2022-1095

Vulnerability #3: GO-2022-1039
  Programs which compile regular expressions from untrusted
  sources may be vulnerable to memory exhaustion or denial of
  service. The parsed regexp representation is linear in the size
  of the input, but in some cases the constant factor can be as
  high as 40,000, making relatively small regexps consume much
  larger amounts of memory. After fix, each regexp being parsed is
  limited to a 256 MB memory footprint. Regular expressions whose
  representation would use more space than that are rejected.
  Normal use of regular expressions is unaffected.

  Call stacks in your code:
      business/sys/validate/validate.go:51:33: github.com/ardanlabs/service/business/sys/validate.init#1 calls regexp.MustCompile, which eventually calls regexp/syntax.Parse

  Found in: regexp/syntax@go1.19
  Fixed in: regexp/syntax@go1.19.2
  More info: https://pkg.go.dev/vuln/GO-2022-1039

Vulnerability #4: GO-2022-1037
  Reader.Read does not set a limit on the maximum size of file
  headers. A maliciously crafted archive could cause Read to
  allocate unbounded amounts of memory, potentially causing
  resource exhaustion or panics. After fix, Reader.Read limits the
  maximum size of header blocks to 1 MiB.

  Call stacks in your code:
      business/web/auth/auth.go:194:18: github.com/ardanlabs/service/business/web/auth.Auth.opaPolicyEvaluation calls github.com/open-policy-agent/opa/rego.Rego.PrepareForEval, which eventually calls archive/tar.Reader.Next

  Found in: archive/tar@go1.19
  Fixed in: archive/tar@go1.19.2
  More info: https://pkg.go.dev/vuln/GO-2022-1037

Vulnerability #5: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean
  shutdown that was preempted by a fatal error. This condition can
  be exploited by a malicious client to cause a denial of service.

  Call stacks in your code:
      app/services/metrics/publisher/expvar/expvar.go:43:38: github.com/ardanlabs/service/app/services/metrics/publisher/expvar.New$1 calls net/http.Server.ListenAndServe
      app/services/sales-api/main.go:204:32: github.com/ardanlabs/service/app/services/sales-api.run$2 calls net/http.ListenAndServe

  Found in: net/http@go1.19
  Fixed in: net/http@go1.19.1
  More info: https://pkg.go.dev/vuln/GO-2022-0969

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0988
  JoinPath and URL.JoinPath do not remove ../ path elements
  appended to a relative path. For example,
  JoinPath("https://go.dev", "../go") returns the URL
  "https://go.dev/../go", despite the JoinPath documentation
  stating that ../ path elements are removed from the result.
  Found in: net/url@go1.19
  Fixed in: net/url@go1.19.1
  More info: https://pkg.go.dev/vuln/GO-2022-0988

Exited with code exit status 3
CircleCI received exit code 3
@ardan-bkennedy ardan-bkennedy added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Nov 20, 2022
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Nov 20, 2022
@ardan-bkennedy
Copy link
Author

Just to add more confusion. I used the golang 1.19 docker image and ran the vulnerability tool against the code inside of Docker. It came up with no vulnerabilities. I am super confused why the tooling is finding problems when using the CircelCI ubuntu-2004:202010-01 image they have.

@hyangah
Copy link
Contributor

hyangah commented Nov 21, 2022

Looks like your CircleCI setup uses go1.19 and govulncheck is reporting the vulnerabilities that were fixed in the newer version.

The version of Go on your mac is go1.19.3 which shouldn't have those vulnerabilities.

@ardan-bkennedy
Copy link
Author

Ohh, so if I switch to 1.19.3 or latest 1.19 in circleci then I shouldn't see the issues. Ok cool. Let me try that. Thanks!!

@ardan-bkennedy
Copy link
Author

OMG

Found in: syscall@go1.19
Fixed in: syscall@go1.19.3
More info: https://pkg.go.dev/vuln/GO-2022-1095

I feel like a idiot, sorry. I never saw this or at least read it clearly enough. It ran now with no issues.

@golang golang locked and limited conversation to collaborators Nov 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
3 participants
@ardan-bkennedy @hyangah @gopherbot