Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security vulnerability]: GO (Go) Security Update for golang.org/x/net/http2 (GHSA-4v7x-pqxf-cx7m) #979

Closed
SRodi opened this issue Nov 11, 2024 · 3 comments
Closed

[security vulnerability]: GO (Go) Security Update for golang.org/x/net/http2 (GHSA-4v7x-pqxf-cx7m) #979

SRodi opened this issue Nov 11, 2024 · 3 comments
Assignees
@xiaozhiche320
Labels
area/dependencies Pull requests that update a dependency file dependencies Pull requests that update a dependency file lang/go The Go Programming Language type/fix Fixes something

Comments

@SRodi
Copy link
Member

SRodi commented Nov 11, 2024
edited
Loading

Issue

net/http, x/net/http2: close connections when receiving too many headers

Reference

GHSA-4v7x-pqxf-cx7m
@SRodi SRodi added area/dependencies Pull requests that update a dependency file dependencies Pull requests that update a dependency file lang/go The Go Programming Language type/fix Fixes something labels Nov 11, 2024
@xiaozhiche320 xiaozhiche320 self-assigned this Nov 11, 2024
@SRodi
Copy link
Member Author

SRodi commented Nov 12, 2024

Run trivy scan for retina images on linux-amd64 - no vulnerabilities based on latest upstream/main commit

❯ trivy image  ghcr.io/srodi/retina/retina-operator:v0.0.16-151-g7988580-linux-amd64
2024-11-12T11:44:16Z    INFO    [vuln] Vulnerability scanning is enabled
2024-11-12T11:44:16Z    INFO    [secret] Secret scanning is enabled
2024-11-12T11:44:16Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-12T11:44:16Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-12T11:44:17Z    INFO    Detected OS     family="cbl-mariner" version="2.0"
2024-11-12T11:44:17Z    INFO    [cbl-mariner] Detecting vulnerabilities...      os_version="2.0" pkg_num=5
2024-11-12T11:44:17Z    INFO    Number of language-specific files       num=1
2024-11-12T11:44:17Z    INFO    [gobinary] Detecting vulnerabilities...

ghcr.io/srodi/retina/retina-operator:v0.0.16-151-g7988580-linux-amd64 (cbl-mariner 2.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


❯ trivy image ghcr.io/srodi/retina/retina-init:v0.0.16-151-g7988580-linux-amd64
2024-11-12T11:47:47Z    INFO    [vuln] Vulnerability scanning is enabled
2024-11-12T11:47:47Z    INFO    [secret] Secret scanning is enabled
2024-11-12T11:47:47Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-12T11:47:47Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-12T11:47:49Z    INFO    Detected OS     family="cbl-mariner" version="2.0"
2024-11-12T11:47:49Z    INFO    [cbl-mariner] Detecting vulnerabilities...      os_version="2.0" pkg_num=5
2024-11-12T11:47:49Z    INFO    Number of language-specific files       num=1
2024-11-12T11:47:49Z    INFO    [gobinary] Detecting vulnerabilities...

ghcr.io/srodi/retina/retina-init:v0.0.16-151-g7988580-linux-amd64 (cbl-mariner 2.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


❯ trivy image ghcr.io/srodi/retina/retina-agent:v0.0.16-151-g7988580-linux-amd64
2024-11-12T11:49:13Z    INFO    [vuln] Vulnerability scanning is enabled
2024-11-12T11:49:13Z    INFO    [secret] Secret scanning is enabled
2024-11-12T11:49:13Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-12T11:49:13Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-12T11:49:16Z    INFO    Detected OS     family="cbl-mariner" version="2.0"
2024-11-12T11:49:16Z    INFO    [cbl-mariner] Detecting vulnerabilities...      os_version="2.0" pkg_num=5
2024-11-12T11:49:16Z    INFO    Number of language-specific files       num=3
2024-11-12T11:49:16Z    INFO    [gobinary] Detecting vulnerabilities...

ghcr.io/srodi/retina/retina-agent:v0.0.16-151-g7988580-linux-amd64 (cbl-mariner 2.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@kamilprz
Copy link
Contributor

kamilprz commented Nov 12, 2024
edited
Loading

Trivy scan results - running on images with tag 4f3dcb5

RETINA AGENT - https://github.com/microsoft/retina/pkgs/container/retina%2Fretina-agent/304246198?tag=4f3dcb5

LINUX/AMD64

 ~/src/repos/retina $  trivy image ghcr.io/microsoft/retina/retina-agent:4f3dcb5@sha256:4847b61c4efaacaaa3ee3b328d5699f020b4d7d358db24dd99c6dad1b34d794b
2024-11-12T12:30:15Z    INFO    [vulndb] Need to update DB
2024-11-12T12:30:15Z    INFO    [vulndb] Downloading vulnerability DB...
2024-11-12T12:30:15Z    INFO    [vulndb] Downloading artifact...        repo="ghcr.io/aquasecurity/trivy-db:2"
55.39 MiB / 55.39 MiB [-----------------------------------------------------------------------------------------------------------] 100.00% 5.27 MiB p/s 11s
2024-11-12T12:30:27Z    INFO    [vulndb] Artifact successfully downloaded       repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-12T12:30:27Z    INFO    [vuln] Vulnerability scanning is enabled
2024-11-12T12:30:27Z    INFO    [secret] Secret scanning is enabled
2024-11-12T12:30:27Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-12T12:30:27Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-12T12:30:33Z    INFO    Detected OS     family="cbl-mariner" version="2.0"
2024-11-12T12:30:33Z    INFO    [cbl-mariner] Detecting vulnerabilities...      os_version="2.0" pkg_num=5
2024-11-12T12:30:33Z    INFO    Number of language-specific files       num=3
2024-11-12T12:30:33Z    INFO    [gobinary] Detecting vulnerabilities...

ghcr.io/microsoft/retina/retina-agent:4f3dcb5@sha256:4847b61c4efaacaaa3ee3b328d5699f020b4d7d358db24dd99c6dad1b34d794b (cbl-mariner 2.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LINUX/ARM64

 ~/src/repos/retina $  trivy image ghcr.io/microsoft/retina/retina-agent:4f3dcb5@sha256:d1d7328b1275c6e0bcd27ac93a8c9034237bf7c66274a787ab
b3537ce5d25a0b
2024-11-12T12:33:03Z    INFO    [vuln] Vulnerability scanning is enabled
2024-11-12T12:33:03Z    INFO    [secret] Secret scanning is enabled
2024-11-12T12:33:03Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-12T12:33:03Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-12T12:33:09Z    INFO    Detected OS     family="cbl-mariner" version="2.0"
2024-11-12T12:33:09Z    INFO    [cbl-mariner] Detecting vulnerabilities...      os_version="2.0" pkg_num=5
2024-11-12T12:33:09Z    INFO    Number of language-specific files       num=3
2024-11-12T12:33:09Z    INFO    [gobinary] Detecting vulnerabilities...

ghcr.io/microsoft/retina/retina-agent:4f3dcb5@sha256:d1d7328b1275c6e0bcd27ac93a8c9034237bf7c66274a787abb3537ce5d25a0b (cbl-mariner 2.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

WINDOWS/AMD64

PS C:\Users\kamilp> trivy image --debug ghcr.io/microsoft/retina/retina-agent:4f3dcb5@sha256:482f6e5b841ef17da742c2c06fd048b888cc97a5b5b52e22275f9d93620ba726
2024-11-12T13:25:47Z    DEBUG   No plugins loaded
2024-11-12T13:25:47Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-12T13:25:47Z    DEBUG   Cache dir       dir="C:\\Users\\kamilp\\AppData\\Local\\trivy"
2024-11-12T13:25:47Z    DEBUG   Cache dir       dir="C:\\Users\\kamilp\\AppData\\Local\\trivy"
2024-11-12T13:25:47Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-11-12T13:25:47Z    DEBUG   Ignore statuses statuses=[]
2024-11-12T13:25:47Z    DEBUG   DB update was skipped because the local DB is the latest
2024-11-12T13:25:47Z    DEBUG   DB info schema=2 updated_at=2024-11-12T12:17:49.02979874Z next_update=2024-11-13T12:17:49.029798369Z downloaded_at=2024-11-12T13:22:51.4222335Z
2024-11-12T13:25:47Z    DEBUG   [pkg] Package types     types=[os library]
2024-11-12T13:25:47Z    DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-11-12T13:25:47Z    INFO    [vuln] Vulnerability scanning is enabled
2024-11-12T13:25:47Z    INFO    [secret] Secret scanning is enabled
2024-11-12T13:25:47Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-12T13:25:47Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-12T13:25:47Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-12T13:25:47Z    DEBUG   Initializing scan cache...      type="fs"
2024-11-12T13:25:47Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-11-12T13:25:47Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-11-12T13:25:47Z    DEBUG   [image] Detected image ID       image_id="sha256:329fa344188b136af1c4c9ddc83dfc79cca581ae1e23201e65829b14cf30d37e"
2024-11-12T13:25:47Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:da2d874340bd0ca5f710fcb2bb9abc7423e71287e9f2b87694767375272e797d sha256:b95bb9177b7bd79ff392ee56ab21e602343779e68882b471e0550cdabc7344e0 sha256:d3b453ef623c1d451c919c7c6cdb9e31f802d6a29d77239cb7de894055545865 sha256:d7d2f166d6b226e46f764ff09321a3f5aa543906820c97e3c60da018abd194d7 sha256:2a4cd292eaa65567b4ef7bdef92865719e5209cc2416b3aa60f97169d7c1c11e sha256:e997e073e23a0e67d566fc8e7976d7dba2c4330979b70cce27baf7c7a3e557b2 sha256:4549d0bd635bfd3b68215eb7f411b3fe6633fec120a6433345f25ea88d94bc43]
2024-11-12T13:25:47Z    DEBUG   [image] Detected base layers    diff_ids=[]
2024-11-12T13:25:47Z    DEBUG   OS is not detected.
2024-11-12T13:25:47Z    DEBUG   Detected OS: unknown
2024-11-12T13:25:47Z    INFO    Number of language-specific files       num=2
2024-11-12T13:25:47Z    INFO    [gobinary] Detecting vulnerabilities...
2024-11-12T13:25:47Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="Files/controller.exe"
2024-11-12T13:25:47Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/microsoft/retina"
2024-11-12T13:25:47Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="Files/captureworkload.exe"
2024-11-12T13:25:47Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/microsoft/retina"
2024-11-12T13:25:47Z    DEBUG   [vex] VEX filtering is disabled

RETINA INIT - https://github.com/microsoft/retina/pkgs/container/retina%2Fretina-init/304246209?tag=4f3dcb5

LINUX/AMD64

 ~/src/repos/retina $  trivy image ghcr.io/microsoft/retina/retina-init:4f3dcb5@sha256:d91f7a64fd0562afcedb29b0c056bec88a83b8d253656b606b09ad61b640e9ad
2024-11-12T12:40:37Z    INFO    [vuln] Vulnerability scanning is enabled
2024-11-12T12:40:37Z    INFO    [secret] Secret scanning is enabled
2024-11-12T12:40:37Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-12T12:40:37Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-12T12:40:38Z    INFO    Detected OS     family="cbl-mariner" version="2.0"
2024-11-12T12:40:38Z    INFO    [cbl-mariner] Detecting vulnerabilities...      os_version="2.0" pkg_num=5
2024-11-12T12:40:38Z    INFO    Number of language-specific files       num=1
2024-11-12T12:40:38Z    INFO    [gobinary] Detecting vulnerabilities...

ghcr.io/microsoft/retina/retina-init:4f3dcb5@sha256:d91f7a64fd0562afcedb29b0c056bec88a83b8d253656b606b09ad61b640e9ad (cbl-mariner 2.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LINUX/ARM64

 ~/src/repos/retina $  trivy image ghcr.io/microsoft/retina/retina-init:4f3dcb5@sha256:79f851e498909042a8b9abb133f096423e842cf840d19595851
4a946f1b496b5
2024-11-12T12:41:35Z    INFO    [vuln] Vulnerability scanning is enabled
2024-11-12T12:41:35Z    INFO    [secret] Secret scanning is enabled
2024-11-12T12:41:35Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-12T12:41:35Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-12T12:41:36Z    INFO    Detected OS     family="cbl-mariner" version="2.0"
2024-11-12T12:41:36Z    INFO    [cbl-mariner] Detecting vulnerabilities...      os_version="2.0" pkg_num=5
2024-11-12T12:41:36Z    INFO    Number of language-specific files       num=1
2024-11-12T12:41:36Z    INFO    [gobinary] Detecting vulnerabilities...

ghcr.io/microsoft/retina/retina-init:4f3dcb5@sha256:79f851e498909042a8b9abb133f096423e842cf840d195958514a946f1b496b5 (cbl-mariner 2.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

RETINA OPERATOR - https://github.com/microsoft/retina/pkgs/container/retina%2Fretina-operator/304243743?tag=4f3dcb5

LINUX/AMD64

 ~/src/repos/retina $  trivy image ghcr.io/microsoft/retina/retina-operator:4f3dcb5@sha256:5d186723f2fd5b455fd1ec587f3949bc387d88098f1d980d8dfe1b341d249204
2024-11-12T12:42:23Z    INFO    [vuln] Vulnerability scanning is enabled
2024-11-12T12:42:23Z    INFO    [secret] Secret scanning is enabled
2024-11-12T12:42:23Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-12T12:42:23Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-12T12:42:24Z    INFO    Detected OS     family="cbl-mariner" version="2.0"
2024-11-12T12:42:24Z    INFO    [cbl-mariner] Detecting vulnerabilities...      os_version="2.0" pkg_num=5
2024-11-12T12:42:24Z    INFO    Number of language-specific files       num=1
2024-11-12T12:42:24Z    INFO    [gobinary] Detecting vulnerabilities...

ghcr.io/microsoft/retina/retina-operator:4f3dcb5@sha256:5d186723f2fd5b455fd1ec587f3949bc387d88098f1d980d8dfe1b341d249204 (cbl-mariner 2.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@xiaozhiche320 xiaozhiche320 reopened this Nov 13, 2024
@xiaozhiche320
Copy link
Contributor

This issue will close since there is no vulnerability issue here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xiaozhiche320 xiaozhiche320

Labels
area/dependencies Pull requests that update a dependency file dependencies Pull requests that update a dependency file lang/go The Go Programming Language type/fix Fixes something
Projects
Retina Triage Board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SRodi @kamilprz @xiaozhiche320