Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: vulnerabilities missing (go-reform analysis result) #69392

Closed
realchs opened this issue Sep 11, 2024 · 5 comments
Closed

x/vuln: vulnerabilities missing (go-reform analysis result) #69392

realchs opened this issue Sep 11, 2024 · 5 comments
Assignees
@zpavlinovic
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@realchs
Copy link

realchs commented Sep 11, 2024
edited
Loading

Go version

go version go1.22.5 darwin/arm64

What did you do? Run govulncheck for (go-reform/reform v1.5.1):

govulncheck ./...

=== Symbol Results ===

Vulnerability #1: GO-2024-3107
    Stack exhaustion in Parse in go/build/constraint
  More info: https://pkg.go.dev/vuln/GO-2024-3107
  Standard library
    Found in: go/build/[email protected]
    Fixed in: go/build/[email protected]
    Example traces found:
      #1: reform/main.go:166:28: reform.main calls build.Import, which eventually calls constraint.Parse

Vulnerability #2: GO-2024-3105
    Stack exhaustion in all Parse functions in go/parser
  More info: https://pkg.go.dev/vuln/GO-2024-3105
  Standard library
    Found in: go/[email protected]
    Fixed in: go/[email protected]
    Example traces found:
      #1: parse/file.go:127:35: parse.File calls parser.ParseFile

Vulnerability #3: GO-2021-0113
    Out-of-bounds read in golang.org/x/text/language
  More info: https://pkg.go.dev/vuln/GO-2021-0113
  Module: golang.org/x/text
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: reform-db/main.go:15:2: reform.init calls stdlib.init, which eventually calls language.MustParse

Your code is affected by 3 vulnerabilities from 1 module and the Go standard library.
This scan also found 2 vulnerabilities in packages you import and 9
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

What did you expect to see?

reform uses "github.com/jackc/[email protected]+incompatible" as a direct dependency and it has two security vulnerabilities as shown in https://deps.dev/go/gopkg.in%2Fjackc%2Fpgx.v3/v3.6.2.
However, the vulnerabilities are not found in the report of govulncheck.
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 11, 2024
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Sep 11, 2024
@timothy-king
Copy link
Contributor

CC @zpavlinovic, @golang/vulndb .

@timothy-king timothy-king added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 11, 2024
@zpavlinovic zpavlinovic self-assigned this Sep 12, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/612875 mentions this issue: data/reports: update GO-2024-2606

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/612856 mentions this issue: data/reports: update GO-2024-2605

gopherbot pushed a commit to golang/vulndb that referenced this issue Sep 13, 2024
@zpavlinovic @gopherbot
data/reports: update GO-2024-2606
e5f3b25 
  - data/reports/GO-2024-2606.yaml

Updates #2606
Updates golang/go#69392

Change-Id: I32da7de9925de3bdea645dcc2ce1c9263941252d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/612875
Reviewed-by: Tatiana Bradley <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Zvonimir Pavlinovic <[email protected]>
gopherbot pushed a commit to golang/vulndb that referenced this issue Sep 13, 2024
@zpavlinovic @gopherbot
data/reports: update GO-2024-2605
443b264 
  - data/reports/GO-2024-2605.yaml

Updates #2605
Updates golang/go#69392

Change-Id: Ib684227e0cae0c5ca7183a99753d09a39d250b2e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/612856
Reviewed-by: Tatiana Bradley <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Zvonimir Pavlinovic <[email protected]>
@zpavlinovic
Copy link
Contributor

zpavlinovic commented Sep 13, 2024
edited
Loading

We were missing that pgx was also vulnerable before pgx/v4 . This should be addressed now:

=== Symbol Results ===

...

Vulnerability #4: GO-2024-2606
    SQL injection in github.com/jackc/pgproto3 and github.com/jackc/pgx
  More info: https://pkg.go.dev/vuln/GO-2024-2606
  Module: github.com/jackc/pgx
    Found in: github.com/jackc/[email protected]+incompatible
    Fixed in: N/A
    Example traces found:
      #1: querier_selects.go:18:19: reform.Querier.NextRow calls sql.Rows.Next, which eventually calls sanitize.SanitizeSQL

Vulnerability #5: GO-2024-2605
    SQL injection in github.com/jackc/pgx/v4
  More info: https://pkg.go.dev/vuln/GO-2024-2605
  Module: github.com/jackc/pgx
    Found in: github.com/jackc/[email protected]+incompatible
    Fixed in: N/A
    Example traces found:
      #1: querier_selects.go:18:19: reform.Querier.NextRow calls sql.Rows.Next, which eventually calls sanitize.SanitizeSQL

...

You don't need to update the govulncheck version. We were missing this information in the vulnerability database.

Could you confim that you now see the expected results?

@realchs
Copy link
Author

realchs commented Sep 14, 2024
edited
Loading

I've tested again and yes it worked as expected 👍

@realchs realchs closed this as completed Sep 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
4 participants
@timothy-king @zpavlinovic @realchs @gopherbot