Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulns - Feb 2025 #305

Merged
merged 5 commits into from
Feb 24, 2025
Merged

vulns - Feb 2025 #305

merged 5 commits into from
Feb 24, 2025

Conversation

ddl-dclegg
Copy link
Contributor

@ddl-dclegg ddl-dclegg commented Feb 21, 2025
edited
Loading

Link to JIRA

VUL-2641
VUL-2748

What issue does this pull request solve?

  • Due to controller-runtime issues, the webhook.Validator and webhook.Defaulter interfaces were deprecated. At build time, projects using hephaestus may have seen something like
89.38 # github.com/dominodatalab/hephaestus/pkg/api/hephaestus/v1
89.38 /root/go/pkg/mod/github.com/dominodatalab/hephaestus@v0.11.11/pkg/api/hephaestus/v1/imagebuild_webhook.go:17:15: undefined: webhook.Defaulter
89.38 /root/go/pkg/mod/github.com/dominodatalab/hephaestus@v0.11.11/pkg/api/hephaestus/v1/imagebuild_webhook.go:24:15: undefined: webhook.Validator
89.38 /root/go/pkg/mod/github.com/dominodatalab/hephaestus@v0.11.11/pkg/api/hephaestus/v1/imagecache_webhook.go:14:15: undefined: webhook.Validator

Vuln scans (before)

Trivy
quay.io/domino/hephaestus:0.11.7 (debian 12.7)
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/hephaestus-controller (gobinary)
========================================
Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 1, CRITICAL: 1)

┌──────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                     Library                      │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├──────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/Azure/azure-sdk-for-go/sdk/azidentity │ CVE-2024-35255 │ MEDIUM   │ fixed  │ v1.5.2            │ 1.6.0                        │ azure-identity: Azure Identity Libraries Elevation of        │
│                                                  │                │          │        │                   │                              │ Privilege Vulnerability in                                   │
│                                                  │                │          │        │                   │                              │ github.com/Azure/azure-sdk-for-go/sdk/azidentity             │
│                                                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-35255                   │
├──────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v4                     │ CVE-2024-51744 │ LOW      │        │ v4.5.0            │ 4.5.1                        │ golang-jwt: Bad documentation of error handling in           │
│                                                  │                │          │        │                   │                              │ ParseWithClaims can lead to potentially...                   │
│                                                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-51744                   │
├──────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto                              │ CVE-2024-45337 │ CRITICAL │        │ v0.26.0           │ 0.31.0                       │ golang.org/x/crypto/ssh: Misuse of                           │
│                                                  │                │          │        │                   │                              │ ServerConfig.PublicKeyCallback may cause authorization       │
│                                                  │                │          │        │                   │                              │ bypass in golang.org/x/crypto                                │
│                                                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45337                   │
├──────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net                                 │ CVE-2024-45338 │ HIGH     │        │ v0.28.0           │ 0.33.0                       │ golang.org/x/net/html: Non-linear parsing of                 │
│                                                  │                │          │        │                   │                              │ case-insensitive content in golang.org/x/net/html            │
│                                                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45338                   │
├──────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                                           │ CVE-2024-45336 │ MEDIUM   │        │ v1.23.2           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│                                                  │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│                                                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│                                                  ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                                                  │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│                                                  │                │          │        │                   │                              │ bypass URI name...                                           │
│                                                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│                                                  ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                  │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│                                                  │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│                                                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
└──────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
Grype
NAME                                              INSTALLED  FIXED-IN                    TYPE       VULNERABILITY        SEVERITY  
github.com/Azure/azure-sdk-for-go/sdk/azidentity  v1.5.2     1.6.0                       go-module  GHSA-m5vv-6r4h-3vj9  Medium    
github.com/golang-jwt/jwt/v4                      v4.5.0     4.5.1                       go-module  GHSA-29wx-vh33-7x7r  Low       
golang.org/x/crypto                               v0.26.0    0.31.0                      go-module  GHSA-v778-237x-gjrc  Critical  
golang.org/x/net                                  v0.28.0    0.33.0                      go-module  GHSA-w32m-9786-jp63  High      
stdlib                                            go1.23.2   1.22.12 1.23.6 1.24.0-rc.3  go-module  CVE-2025-22866       Medium    
stdlib                                            go1.23.2   1.22.11 1.23.5 1.24.0-rc.2  go-module  CVE-2024-45341       Medium    
stdlib                                            go1.23.2   1.22.11 1.23.5 1.24.0-rc.2  go-module  CVE-2024-45336       Medium

What is the solution?

  • Implement CustomDefaulter and CustomValidator
  • Patch vulns

Vuln scans (after)

Trivy
ghcr.io/dominodatalab/hephaestus:latest (debian 12.9)
=====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Grype
NAME  INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY

Testing

References (optional)

@ddl-dclegg ddl-dclegg requested a review from a team February 21, 2025 16:59
@ddl-dclegg ddl-dclegg mentioned this pull request Feb 21, 2025
Closed
@ddl-dclegg ddl-dclegg merged commit 87a7631 into main Feb 24, 2025
4 checks passed
@ddl-dclegg ddl-dclegg deleted the dclegg-webhook-fix2 branch February 24, 2025 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Secretions Secretions Secretions approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ddl-dclegg @Secretions