Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trivy and Grype findings #41

Open
sblatnick opened this issue Nov 25, 2024 · 9 comments
Open

Trivy and Grype findings #41

sblatnick opened this issue Nov 25, 2024 · 9 comments

Comments

@sblatnick
Copy link

The following vulnerabilities have been detected in /root/.local/share/gh/extensions/gh-token/gh-token:

CVE Severity
CVE-2023-24531 Critical/9.8, 0.04%
CVE-2023-24538 Critical/9.8, 0.74%
CVE-2023-24540 Critical/9.8, 0.28%
CVE-2023-29402 Critical/9.8, 0.85%
CVE-2024-24790 Critical/9.8, 0.06%
CVE-2023-29405 Critical/9.8, 0.69%
CVE-2023-29404 Critical/9.8, 0.83%
CVE-2024-24784 High/7.5, 0.04%
CVE-2023-24536 High/7.5, 0.82%
CVE-2023-24534 High/7.5, 0.35%
CVE-2023-39325 High/7.5, 0.36%
CVE-2023-24537 High/7.5, 0.17%
CVE-2023-45283 High/7.5, 0.17%
CVE-2022-41723 High/7.5, 4.18%
CVE-2022-41722 High/7.5, 0.17%
CVE-2023-44487 High/7.5, 83.78%
CVE-2022-41725 High/7.5, 0.21%
CVE-2023-29400 High/7.3, 0.15%
CVE-2023-29403 High/7.8, 0.09%
CVE-2023-24539 High/7.3, 0.15%
CVE-2022-41724 High/7.5, 0.2%
CVE-2024-24791 High/7.5, 0.04%
CVE-2023-45287 High/7.5, 0.08%
CVE-2023-39323 High/8.1, 0.38%
CVE-2023-45285 High/7.5, 0.07%
CVE-2024-34156 High/7.5, 0.04%
CVE-2023-45288 High/7.5, 0.04%
CVE-2024-34158 High/7.5, 0.04%
@Link-
Copy link
Owner

Link- commented Jan 11, 2025

Spam.

@Link- Link- closed this as completed Jan 11, 2025
@sblatnick
Copy link
Author

Definitely not spam! I scanned it using Trivy, and it said all these things were a problem. If they are false positives, please let me know.

@Link- Link- reopened this Jan 13, 2025
@Link-
Copy link
Owner

Link- commented Jan 13, 2025

Sorry @sblatnick - I didn't find how these apply to this code. Could you run the scan again and share with me the results after this latest release?

Also, it would be great if the scans show the line numbers & code references that flagged these issues.

@sblatnick
Copy link
Author

Thanks! I'll try to dig up the details.

@sblatnick
Copy link
Author

These results came from scanning an image. All results are in a binary file, so giving the line number is not really possible.

The file is ~/.local/share/gh/extensions/gh-token/gh-token

Findings come from either Trivy or Grype scans.

I am pretty busy today, so further details may have to wait until later this week. I hope this helps.

@Link-
Copy link
Owner

Link- commented Jan 13, 2025

Hmm.. I already have codeql running on the source & it has not flagged any issues 🤔 what this extension does is pretty straight forward so I'm not overly concerned. When you have information I can act on, I'll take a look and see what's reasonable to deal with.

@sblatnick
Copy link
Author

I see that you updated Go from 1.20 to 1.23.4 on Jan 11, which actually remediated the majority of these findings. There are only 2 remaining. Both appear to be waiting on Go to fix. Once available, you should be able to remediate by simply updating your go.mod to the patched/fixed version.

Here are the remaining findings (output from our tooling):

CVE-2023-45287

Description
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

Artifacts
This vulnerability was discovered in the following artifacts.

Type Name Version False Positive File Path
Go Library stdlib v1.18.10 No /root/.local/share/gh/extensions/gh-token/gh-token

More Details

CVE-2023-44487

Description
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Artifacts
This vulnerability was discovered in the following artifacts.

Type Name Version False Positive File Path
Go Library stdlib go1.18.10 No /root/.local/share/gh/extensions/gh-token/gh-token

More Details

@Link-
Copy link
Owner

Link- commented Jan 16, 2025

Awesome, thank you @sblatnick

@sblatnick
Copy link
Author

FYI, I just scanned again in our tool to verify what I posted before, and even these two findings appear to be fixed now. I'm not sure if you did anything on your end.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants