Vulnerability in a Go pkg

[jjngx]

Describe the bug

➜  nginx-supportpkg-for-k8s git:(main) ✗ govulncheck -show verbose ./...
Scanning your code and 946 packages across 138 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: pkg/data_collector/data_collector.go:93:50: data_collector.NewDataCollector calls kubernetes.NewForConfig, which eventually calls http2.ConfigureTransports
      #2: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error
      #3: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.ErrCode.String
      #4: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
      #5: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.FrameType.String
      #6: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.GoAwayError.Error
      #7: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.Setting.String
      #8: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.SettingID.String
      #9: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.StreamError.Error
      #10: pkg/data_collector/data_collector.go:251:5: data_collector.DataCollector.QueryCRD calls rest.Request.Do, which eventually calls http2.Transport.NewClientConn
      #11: pkg/data_collector/data_collector.go:251:5: data_collector.DataCollector.QueryCRD calls rest.Request.Do, which eventually calls http2.Transport.RoundTrip
      #12: pkg/data_collector/data_collector.go:262:14: data_collector.DataCollector.AllNamespacesExist calls fmt.Printf, which eventually calls http2.chunkWriter.Write
      #13: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.connError.Error
      #14: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.duplicatePseudoHeaderError.Error
      #15: pkg/jobs/nic_job_list.go:80:22: jobs.NICJobList calls http2.gzipReader.Close
      #16: pkg/jobs/nic_job_list.go:74:26: jobs.NICJobList calls io.Copy, which eventually calls http2.gzipReader.Read
      #17: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.headerFieldNameError.Error
      #18: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.headerFieldValueError.Error
      #19: pkg/data_collector/data_collector.go:251:5: data_collector.DataCollector.QueryCRD calls rest.Request.Do, which eventually calls http2.noDialH2RoundTripper.RoundTrip
      #20: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.pseudoHeaderError.Error
      #21: pkg/data_collector/data_collector.go:262:14: data_collector.DataCollector.AllNamespacesExist calls fmt.Printf, which eventually calls http2.stickyErrWriter.Write
      #22: pkg/jobs/nic_job_list.go:80:22: jobs.NICJobList calls http2.transportResponseBody.Close
      #23: pkg/jobs/nic_job_list.go:74:26: jobs.NICJobList calls io.Copy, which eventually calls http2.transportResponseBody.Read
      #24: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.writeData.String

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/[email protected]
    Fixed in: google.golang.org/[email protected]

Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.

To Reproduce

Steps to reproduce the behavior:

1. Run govulncheck -show verbose ./...

Expected behavior

1. No fixed vulnerabilities reported.

Screenshots

N/A

Environment

➜  nginx-supportpkg-for-k8s git:(main) ✗ govulncheck --version
Go: go1.22.4
Scanner: [email protected]
DB: https://vuln.go.dev
DB updated: 2024-06-20 18:18:26 +0000 UTC

Additional context

N/A

### Tasks
- [ ] https://github.com/nginxinc/nginx-supportpkg-for-k8s/pull/11

[mrajagopal]

@jjngx , thanks for reporting this, we shall address this shortly.

[dareste]

Solved and merged in #11.