Skip to content

Vulnerability in a Go pkg #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jjngx opened this issue Jun 24, 2024 · 2 comments
Closed

Vulnerability in a Go pkg #10

jjngx opened this issue Jun 24, 2024 · 2 comments
Assignees
Labels
bug Something isn't working

Comments

@jjngx
Copy link

jjngx commented Jun 24, 2024

Describe the bug

➜  nginx-supportpkg-for-k8s git:(main) ✗ govulncheck -show verbose ./...
Scanning your code and 946 packages across 138 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: pkg/data_collector/data_collector.go:93:50: data_collector.NewDataCollector calls kubernetes.NewForConfig, which eventually calls http2.ConfigureTransports
      #2: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.ConnectionError.Error
      #3: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.ErrCode.String
      #4: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
      #5: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.FrameType.String
      #6: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.GoAwayError.Error
      #7: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.Setting.String
      #8: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.SettingID.String
      #9: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.StreamError.Error
      #10: pkg/data_collector/data_collector.go:251:5: data_collector.DataCollector.QueryCRD calls rest.Request.Do, which eventually calls http2.Transport.NewClientConn
      #11: pkg/data_collector/data_collector.go:251:5: data_collector.DataCollector.QueryCRD calls rest.Request.Do, which eventually calls http2.Transport.RoundTrip
      #12: pkg/data_collector/data_collector.go:262:14: data_collector.DataCollector.AllNamespacesExist calls fmt.Printf, which eventually calls http2.chunkWriter.Write
      #13: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.connError.Error
      #14: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.duplicatePseudoHeaderError.Error
      #15: pkg/jobs/nic_job_list.go:80:22: jobs.NICJobList calls http2.gzipReader.Close
      #16: pkg/jobs/nic_job_list.go:74:26: jobs.NICJobList calls io.Copy, which eventually calls http2.gzipReader.Read
      #17: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.headerFieldNameError.Error
      #18: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.headerFieldValueError.Error
      #19: pkg/data_collector/data_collector.go:251:5: data_collector.DataCollector.QueryCRD calls rest.Request.Do, which eventually calls http2.noDialH2RoundTripper.RoundTrip
      #20: cmd/nginx-supportpkg.go:96:27: cmd.Execute calls cobra.Command.Execute, which eventually calls http2.pseudoHeaderError.Error
      #21: pkg/data_collector/data_collector.go:262:14: data_collector.DataCollector.AllNamespacesExist calls fmt.Printf, which eventually calls http2.stickyErrWriter.Write
      #22: pkg/jobs/nic_job_list.go:80:22: jobs.NICJobList calls http2.transportResponseBody.Close
      #23: pkg/jobs/nic_job_list.go:74:26: jobs.NICJobList calls io.Copy, which eventually calls http2.transportResponseBody.Read
      #24: pkg/data_collector/data_collector.go:110:28: data_collector.DataCollector.WrapUp calls fmt.Sprintf, which eventually calls http2.writeData.String

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/[email protected]
    Fixed in: google.golang.org/[email protected]

Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.

To Reproduce

Steps to reproduce the behavior:

  1. Run govulncheck -show verbose ./...

Expected behavior

  1. No fixed vulnerabilities reported.

Screenshots

N/A

Environment

➜  nginx-supportpkg-for-k8s git:(main) ✗ govulncheck --version
Go: go1.22.4
Scanner: [email protected]
DB: https://vuln.go.dev
DB updated: 2024-06-20 18:18:26 +0000 UTC

Additional context

N/A

### Tasks
- [ ] https://github.com/nginxinc/nginx-supportpkg-for-k8s/pull/11
@jjngx jjngx added the bug Something isn't working label Jun 24, 2024
@mrajagopal
Copy link
Collaborator

@jjngx , thanks for reporting this, we shall address this shortly.

@mrajagopal mrajagopal self-assigned this Jun 24, 2024
@dareste
Copy link
Collaborator

dareste commented Jun 25, 2024

Solved and merged in #11.

@dareste dareste closed this as completed Jun 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants