Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade packages highlighted by Trivy #243

Open
yonch opened this issue Nov 27, 2023 · 1 comment · May be fixed by #252
Open

Upgrade packages highlighted by Trivy #243

yonch opened this issue Nov 27, 2023 · 1 comment · May be fixed by #252
Labels
bug Something isn't working

Comments

@yonch
Copy link
Contributor

yonch commented Nov 27, 2023

What happened?

Description

Trivy is reporting potentially vulnerable packages in collector/k8s.

The two vulnerabilities seem to be resource exhaustion attacks (not arbitrary code execution), and this component communicates with the Kubernetes API and the k8s-watcher rather than public endpoints. Still, it would be prudent to upgrade the go dependencies.

Steps to Reproduce

Run Trivy test (e.g., runs automatically upon merge)

Expected Result

No alerts

Actual Result

https://github.com/open-telemetry/opentelemetry-network/actions/runs/7010845578/job/19072233435#step:4:31

eBPF Collector version

f1aceba

Environment information

Environment

GitHub / Trivy scan

eBPF Collector configuration

No response

Log output

/usr/bin/docker run --name bbed06b9809a2cb4243af7d18b698bce9dd_79279b --label 813bbe --workdir /github/workspace --rm -e "INPUT_SCAN-TYPE" -e "INPUT_SCAN-REF" -e "INPUT_SKIP-DIRS" -e "INPUT_FORMAT" -e "INPUT_EXIT-CODE" -e "INPUT_SEVERITY" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_TIMEOUT" -e "INPUT_IMAGE-REF" -e "INPUT_INPUT" -e "INPUT_TEMPLATE" -e "INPUT_OUTPUT" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_SECURITY-CHECKS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_TRIVY-CONFIG" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/opentelemetry-network/opentelemetry-network":"/github/workspace" 813bbe:d06b9809a2cb4243af7d18b698bce9dd  "-a fs" "-b table" "-c " "-d 1" "-e true" "-f os,library" "-g CRITICAL,HIGH" "-h " "-i " "-j ." "-k docs,cmake,ext" "-l " "-m " "-n 10m" "-o " "-p " "-q " "-r false" "-s " "-t " "-u " "-v "
Running trivy with options: trivy fs  --format table --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity  CRITICAL,HIGH --skip-dirs docs --skip-dirs cmake --skip-dirs ext --timeout  10m .
Global options:  
2023-11-27T21:30:38.735Z	INFO	Need to update DB
2023-11-27T21:30:38.735Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-11-27T21:30:38.735Z	INFO	Downloading DB...
41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [-------------------------------------------------] 100.00% 37.98 MiB p/s 1.3s2023-11-27T21:30:40.531Z	INFO	Vulnerability scanning is enabled
2023-11-27T21:30:40.531Z	INFO	Secret scanning is enabled
2023-11-27T21:30:40.531Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-11-27T21:30:40.531Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2023-11-27T21:30:40.972Z	INFO	Number of language-specific files: 1
2023-11-27T21:30:40.972Z	INFO	Detecting gomod vulnerabilities...

collector/k8s/go.mod (gomod)
============================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│        Library         │    Vulnerability    │ Severity │ Installed Version │     Fixed Version      │                            Title                             │
├────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net       │ CVE-2023-39325      │ HIGH     │ 0.7.0             │ 0.17.0                 │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                        │                     │          │                   │                        │ excessive work (CVE-2023-44487)                              │
│                        │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
├────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-m425-mq94-257g │          │ 1.53.0            │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                     │
│                        │                     │          │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g            │
└────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

Additional context

No response
@yonch yonch added the bug Something isn't working label Nov 27, 2023
@yonch
Copy link
Contributor Author

yonch commented Nov 27, 2023

@atoulme fyi

@yonch yonch changed the title Upgrade packages highlighted by Privy Upgrade packages highlighted by Trivy Nov 27, 2023
@shivanshuraj1333 shivanshuraj1333 linked a pull request Feb 20, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bumping go packages to fix CVE shivanshuraj1333/opentelemetry-network
1 participant
@yonch