Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add go toolchain version #1710

Merged
merged 2 commits into from
Oct 24, 2024
Merged

chore: add go toolchain version #1710

merged 2 commits into from
Oct 24, 2024

Conversation

afdesk
Copy link
Collaborator

@afdesk afdesk commented Oct 22, 2024
edited
Loading

This PR adds support for Go Toolchains.

There is a PR (ex. #1681), that can't be merged without a specific go toolchain.

so to keep up to date the dependencies we should indicate go toolchain.

also I fixed some vulnerabilities.

Before:

$ go build -o my-kb .
$ trivy rootfs .
2024-10-24T12:28:39+06:00	INFO	[vuln] Vulnerability scanning is enabled
2024-10-24T12:28:39+06:00	INFO	[secret] Secret scanning is enabled
2024-10-24T12:28:39+06:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-24T12:28:39+06:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-24T12:28:39+06:00	INFO	Number of language-specific files	num=1
2024-10-24T12:28:39+06:00	INFO	[gobinary] Detecting vulnerabilities...
2024-10-24T12:28:39+06:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.

my-kb (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.6            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│         │                │          │        │                   │                │ containing deeply nested literals...                        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│         │                │          │        │                   │                │ build tag line with...                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

After:

$ go build -o my-kb .
$ trivy rootfs .
2024-10-24T12:28:17+06:00	INFO	[vuln] Vulnerability scanning is enabled
2024-10-24T12:28:17+06:00	INFO	[secret] Secret scanning is enabled
2024-10-24T12:28:17+06:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-24T12:28:17+06:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-24T12:28:17+06:00	INFO	Number of language-specific files	num=1
2024-10-24T12:28:17+06:00	INFO	[gobinary] Detecting vulnerabilities...

@afdesk afdesk marked this pull request as ready for review October 22, 2024 10:02
@afdesk
Copy link
Collaborator Author

afdesk commented Oct 22, 2024

hi @mozillazg!
I remember your concern about bumping go version (#1690 (comment)).
wdyt about this PR?
thanks a lot!

@afdesk afdesk requested a review from mozillazg October 22, 2024 10:04
mozillazg
mozillazg approved these changes Oct 22, 2024
View reviewed changes
Copy link
Collaborator

@mozillazg mozillazg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@afdesk
Copy link
Collaborator Author

afdesk commented Oct 22, 2024

LGTM

thanks! I'll wait a bit another comments and will merge it

@afdesk
Copy link
Collaborator Author

afdesk commented Oct 23, 2024
edited
Loading

LGTM

Hi @mozillazg
Trivy caught vulnerabilities in my-kube-bench that was build from main branch: #1673 (comment)

I'm unsure it's really affected, but it seems we have to bump up go version to 1.22.7...
wdyt?
thanks!

@mozillazg
Copy link
Collaborator

I'm unsure it's really affected, but it seems we have to bump up go version to 1.22.7... wdyt? thanks!

@afdesk
We already use Go 1.22.7 for building in pipelines.
Is it still necessary to bump up go version to 1.22.7? If so, I'm fine with that.

$ tar zxf kube-bench_0.9.1_linux_amd64.tar.gz
$ go version ./kube-bench
./kube-bench: go1.22.7

$ trivy version
Version: 0.56.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-24 00:22:57.860059738 +0000 UTC
  NextUpdate: 2024-10-25 00:22:57.860059598 +0000 UTC
  DownloadedAt: 2024-10-24 01:55:38.655455 +0000 UTC

$ trivy image --scanners vuln docker.io/aquasec/kube-bench:v0.9.1
2024-10-24T10:36:30+08:00	INFO	[vuln] Vulnerability scanning is enabled
2024-10-24T10:36:34+08:00	INFO	Detected OS	family="alpine" version="3.20.3"
2024-10-24T10:36:34+08:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.20" repository="3.20" pkg_num=26
2024-10-24T10:36:34+08:00	INFO	Number of language-specific files	num=2
2024-10-24T10:36:34+08:00	INFO	[gobinary] Detecting vulnerabilities...
2024-10-24T10:36:34+08:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.

docker.io/aquasec/kube-bench:v0.9.1 (alpine 3.20.3)

Total: 3 (UNKNOWN: 0, LOW: 3, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-9143 │ LOW      │ fixed  │ 3.3.2-r0          │ 3.3.2-r1      │ openssl: Low-level invalid GF(2^m) parameters lead to OOB │
│            │               │          │        │                   │               │ memory access                                             │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-9143                 │
├────────────┤               │          │        │                   │               │                                                           │
│ libssl3    │               │          │        │                   │               │                                                           │
│            │               │          │        │                   │               │                                                           │
│            │               │          │        │                   │               │                                                           │
├────────────┤               │          │        │                   │               │                                                           │
│ openssl    │               │          │        │                   │               │                                                           │
│            │               │          │        │                   │               │                                                           │
│            │               │          │        │                   │               │                                                           │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

usr/local/bin/kubectl (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.5            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│         │                │          │        │                   │                │ containing deeply nested literals...                        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│         │                │          │        │                   │                │ build tag line with...                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

@afdesk afdesk mentioned this pull request Oct 24, 2024
Open
@afdesk
Copy link
Collaborator Author

afdesk commented Oct 24, 2024

Is it still necessary to bump up go version to 1.22.7? If so, I'm fine with that.

@mozillazg
that's great. I'm merging this PR and created a new issue about another vulns.
thanks!

@afdesk afdesk merged commit 5568895 into aquasecurity:main Oct 24, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mozillazg mozillazg mozillazg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@afdesk @mozillazg