Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GODRIVER-2446 Update Fixable Dep Vulnerabilities, Identify Un-Fixable Dep Vulnerabilities #1005

Merged
merged 7 commits into from
Jun 30, 2022
Merged

GODRIVER-2446 Update Fixable Dep Vulnerabilities, Identify Un-Fixable Dep Vulnerabilities #1005

merged 7 commits into from
Jun 30, 2022

Conversation

prestonvasquez
Copy link
Collaborator

@prestonvasquez prestonvasquez commented Jun 28, 2022
edited
Loading

  1. golang.org/x/net CVE-2021-44716
  2. golang.org/x/text CVE-2020-14040
  3. golang.org/x/text CVE-2021-38561
  4. golang.org/x/crypto CVE-2020-9283, CVE-2020-29652, CVE-2022-27191
  5. gopkg.in/yaml.v3 CVE-2022-28948

golang.org/x/net

GODRIVER-2448

CVE-2021-44716

We have two packages that use the net library:

  1. golang.org/x/crypto
  2. golang.org/x/tools

Updating both to latest respectively puts the dependency graphs at

golang.org/x/crypto@v0.0.0-20220622213112-05595931fe9d golang.org/x/net@v0.0.0-20211112202133-69e39bad7dc2

golang.org/x/crypto@v0.0.0-20210921155107-089bfa567519 golang.org/x/net@v0.0.0-20210226172049-e18ecbb05110

and

golang.org/x/tools@v0.1.11 golang.org/x/net@v0.0.0-20211015210444-4f30a5c0130f

golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e golang.org/x/net@v0.0.0-20190620200207-3b0461eec859

According to Snyk the DOS vulnerability for golang.org/x/net is fixed in

golang.org/x/net@0.0.0-20211209124913-491a49abca63

which means that neither of our latest dependencies resolves this problem, as our earliest version for the net library is

golang.org/x/net@v0.0.0-20190620200207-3b0461eec859

The root of this 2019 version is that golang.org/x/tools imports an older version of itself. This peculiarity results in the following dependency graph:

golang.org/x/tools@v0.1.11 golang.org/x/mod@v0.6.0-dev.0.20220419223038-86c51ed26bb4
golang.org/x/mod@v0.6.0-dev.0.20220419223038-86c51ed26bb4 golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e
golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e golang.org/x/net@v0.0.0-20190620200207-3b0461eec859
golang.org/x/net@v0.0.0-20190620200207-3b0461eec859 golang.org/x/crypto@v0.0.0-20190308221718-c2843e01d9a2

The only place in our repo that uses x/tools is docbuilder. The goal of this package was to create a binary that generates HTML for package redirects, defined in GODRIVER-120. Since the go team no longer maintains this practice, we can deprecate the docbuilder and do only top-level redirects as requested in TSOPS-4909 HELP-35307 ITSYSENG-5757.

The x/crypto package still uses a vulnerable version of the net package:

golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2

To help get closer to resolving this, I've submitted an issue via the Go Security Policy:

Hi,

It appears that the x/crypto package still uses a version of golang.org/x/net that is still subject to the CVE-2021-44716 vulnerability. Surprisingly there is no issue reported for this at the moment.

However, per the go team:

As far as I am aware x/net/http2 is not used anywhere in x/crypto, the only x/net package used is x/net/idna, which is unaffected by this security issue.

Given this issue is specifically concerning the use of x/net/http2, this vulnerability is resolved. It's also worth noting that the dependency update given by Snyk is specific to the x/tools package.

golang.org/x/text

GODRIVER-2447

CVE-2020-14040

This is a DOS vulnerability that is fixed in golang.org/x/text@0.3.3. The earliest version of the golang.org/x/text package in the Go Driver is golang.org/x/text@v0.3.6, which is a dependency of golang.org/x/crypto:

golang.org/x/crypto@v0.0.0-20220622213112-05595931fe9d golang.org/x/text@v0.3.6

CVE-2021-38561

This no longer appears to be an issue on cve.org. However, it is still a vulnarbility on Snyk that is fixed as of golang.org/x/text@v0.3.7. In the Go Driver, this vulnerability is introduced by golang.org/x/crypto: https://cs.opensource.google/go/x/crypto/+/master:go.mod;l=11 and the question of CVE-2021-38561's effects on the x/crypto package is currently an open issue with their team. This is not, however, an issue reported by Snyk AFAIK.

I've created [GODRIVER-2447|https://jira.mongodb.org/browse/GODRIVER-2477] to resolve this whenever the Go team's issue is closed.

This is resolved by updating github.com/xdg-go/stringprep, per the dependency graph:

github.com/xdg-go/stringprep@v1.0.3 golang.org/x/text@v0.3.7

golang.org/x/crypto

GODRIVER-2446

CVE-2020-9283
CVE-2020-29652
CVE-2022-27191

All three of these issues are resolved by updating golang.org/x/crypto to latest.

gopkg.in/yaml.v3

GODRIVER-2448

CVE-2022-28948

This is resolved by upgrading gopkg.in/yaml.v3 to version 3.0.0 or higher. I believe replacing the effected version in the module will resolve this issue: https://go.dev/ref/mod#:~:text=A%20replace%20directive%20replaces%20the,a%20platform%2Dspecific%20file%20path.

@prestonvasquez prestonvasquez changed the title GODRIVER-2446 update dependencies GODRIVER-2446 Update Fixable Dep Vulnerabilities, Identify Un-Fixable Dep Vulnerabilities Jun 28, 2022
matthewdale
matthewdale approved these changes Jun 28, 2022
View reviewed changes
Copy link
Collaborator

@matthewdale matthewdale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 👍 . Thanks for the thorough description of the updates!

@matthewdale matthewdale mentioned this pull request Jun 29, 2022
Merged
prestonvasquez
prestonvasquez commented Jun 29, 2022
View reviewed changes
go.mod
// gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c introduced through github.com/stretchr/testify@v1.6.1 are
// vulnerable to Denial of Service (DoS) via the Unmarshal function, which causes the program to crash when attempting
// to deserialize invalid input. https://www.cve.org/CVERecord?id=CVE-2022-28948
replace gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c => gopkg.in/yaml.v3 v3.0.1
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matthewdale as you've noted, updating to a version of testify that resolves CVE-2022-28948 is not something we can do without breaking support for Go v10. Using replace updates the vulnerable yaml.v3 version to 3.0.1, which removes it from go.sum. However, the testify package still points to v3.0.0-20200313102051-9f266ea9e77c in the dependency graph:

github.com/stretchr/testify@v1.6.1 gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that's fine. The only version of gopkg.in/yaml.v3 in go.sum seems to be v3.0.1, suggesting that replace directive is preventing it from being part of the final dependency closure.

@benjirewis
Copy link
Contributor

Wow thanks for the super thorough description! That move with the replace directive is really smart... As for CVE--2021-44716, is there no remaining Snyk alert from the x/crypto package relying on a vulnerable version of x/net?

@prestonvasquez
Copy link
Collaborator Author

@benjirewis

Wow thanks for the super thorough description! That move with the replace directive is really smart... As for CVE--2021-44716, is there no remaining Snyk alert from the x/crypto package relying on a vulnerable version of x/net?

The x/crypto package does use a version of x/net that is vulnerable, it doesn't use the vulnerable functionality specifically. I emailed the Go team about this and their response was

As far as I am aware x/net/http2 is not used anywhere in x/crypto, the only x/net package used is x/net/idna, which is unaffected by this security issue.

The specific Snyk problem for x/net was due to x/tools, which we no longer import as a dependency: https://app.snyk.io/org/mongodb-default/project/d1fd28ee-07d4-4de7-88ed-e20dc42a307c#issue-SNYK-GOLANG-GOLANGORGXNETHTTP2-2313688

benjirewis
benjirewis approved these changes Jun 29, 2022
View reviewed changes
Copy link
Contributor

@benjirewis benjirewis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha. If the Go team says we're not using the vulnerable code with our current setup and Snyk is not complaining I think that's fine w me. Thanks!

go.mod Outdated
@@ -7,6 +7,11 @@ retract (
[v1.6.0, v1.6.1] // Contains data race bug in background connection establishment.
)

// gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c introduced through github.com/stretchr/testify@v1.6.1 are
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c introduced through github.com/stretchr/testify@v1.6.1 are
// gopkg.in/yaml.v3@v3.0.0-20200313102051-9f266ea9e77c introduced through github.com/stretchr/testify@v1.6.1 is

@prestonvasquez @benjirewis
Update go.mod
c204043 
Co-authored-by: Benjamin Rewis <32186188+benjirewis@users.noreply.github.com>
@prestonvasquez prestonvasquez merged commit be357d0 into mongodb:master Jun 30, 2022
@prestonvasquez prestonvasquez deleted the GODRIVER-2446 branch June 30, 2022 21:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewdale matthewdale matthewdale approved these changes

@benjirewis benjirewis benjirewis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@prestonvasquez @benjirewis @matthewdale