Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JFrog CLI Build - Upgrade Go to v1.23.2 #2713

Merged
merged 2 commits into from
Oct 6, 2024
Merged

JFrog CLI Build - Upgrade Go to v1.23.2 #2713

merged 2 commits into from
Oct 6, 2024

Conversation

eyalbe4
Copy link
Contributor

@eyalbe4 eyalbe4 commented Oct 3, 2024
edited
Loading

Depends on jfrog/.github#5 for the Static Analysis / Go-Sec ubuntu-latest (pull_request) check to pass.

@eyalbe4 eyalbe4 added the improvement Automatically generated release notes label Oct 3, 2024
@eyalbe4 eyalbe4 requested a review from yahavi October 3, 2024 17:39
@eyalbe4 eyalbe4 added the safe to test Approve running integration tests on a pull request label Oct 3, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Oct 3, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 3, 2024

🚨 Frogbot scanned this pull request and found the below:

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 3, 2024 

{InsecureSkipVerify: true}

at artifactory_test.go (line 1770)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

High		 Insecure TLS Configuration
Full description

Overview

Insecure TLS Configuration is a type of vulnerability that occurs when an
application uses weak or outdated cryptographic protocols, ciphers, or
configurations for secure communication over the network.

Vulnerable example

package main

import (
    "crypto/tls"
)

func main() {}

func insecureMinMaxTlsVersion() {
    {
        config := &tls.Config{}
        config.MinVersion = 0
    }
    {
        config := &tls.Config{}
        config.MinVersion = tls.VersionSSL30
    }
    {
        config := &tls.Config{}
        config.MaxVersion = tls.VersionSSL30
    }
    {
        config := &tls.Config{}
    }
}

func insecureCipherSuites() {
    config := &tls.Config{
        CipherSuites: []uint16{
            tls.TLS_RSA_WITH_RC4_128_SHA,
        },
    }
    _ = config
}

In this example, the MinVersion field is set to tls.VersionSSL30, which
uses the outdated SSL 3.0 protocol, making the application vulnerable to
attacks such as POODLE.

Remediation

package main

import (
    "crypto/tls"
)

func main() {}

func insecureMinMaxTlsVersion() {
    {
        config := &tls.Config{}
-       config.MinVersion = 0
+       config.MinVersion = tls.VersionTLS12
    }
    {
        config := &tls.Config{}
-       config.MinVersion = tls.VersionSSL30
+       config.MinVersion = tls.VersionTLS12
    }
    {
        config := &tls.Config{}
-       config.MaxVersion = tls.VersionSSL30
    }
    {
-       config := &tls.Config{}
+       config := &tls.Config{MinVersion: tls.VersionTLS12}
    }
}

func insecureCipherSuites() {
    config := &tls.Config{
        CipherSuites: []uint16{
-           tls.TLS_RSA_WITH_RC4_128_SHA,
+           tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        },
+       MinVersion: tls.VersionTLS12,
    }
    _ = config
}

By using safe TLS versions (e.g., tls.VersionTLS12) and secure cipher suites we can
mitigate the risk of insecure TLS configurations and improve the security of the
application.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 3, 2024 

tr

at artifactory_test.go (line 1797)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

High		 Improper Certificate Validation
Full description

Overview

Improper certificate validation is a type of vulnerability that occurs when
an application does not properly validate the authenticity of a certificate
presented by a remote server.

Vulnerable example

package main

import (
    "crypto/tls"
    "net/http"
)

func doReq(req *http.Request) *http.Response {
    tr := &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
    }
    client := &http.Client{Transport: tr}
    res, _ := client.Do(req)
    return res
}

In this example, the InsecureSkipVerify field is set to true, which
disables certificate validation, making the application vulnerable.

Remediation

tr := &http.Transport{
-    TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+    TLSClientConfig: &tls.Config{InsecureSkipVerify: false},
}

By setting InsecureSkipVerify to false, the application will validate
the authenticity of the certificate presented by the remote server.

Code Flows
Vulnerable data flow analysis result

↘️ { //#nosec G402 jfrog-ignore - false positive TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } (at artifactory_test.go line 1768)

↘️ tr (at artifactory_test.go line 1768)

↘️ tr (at artifactory_test.go line 1797)

@eyalbe4 eyalbe4 merged commit 5afa2a5 into jfrog:dev Oct 6, 2024
13 of 14 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Oct 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sverdlov93 sverdlov93 sverdlov93 approved these changes

@yahavi yahavi Awaiting requested review from yahavi

Assignees
No one assigned
Labels
improvement Automatically generated release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eyalbe4 @sverdlov93