Trivy and Grype findings

[sblatnick]

The following vulnerabilities have been detected in /root/.local/share/gh/extensions/gh-token/gh-token:

CVE	Severity
CVE-2023-24531	Critical/9.8, 0.04%
CVE-2023-24538	Critical/9.8, 0.74%
CVE-2023-24540	Critical/9.8, 0.28%
CVE-2023-29402	Critical/9.8, 0.85%
CVE-2024-24790	Critical/9.8, 0.06%
CVE-2023-29405	Critical/9.8, 0.69%
CVE-2023-29404	Critical/9.8, 0.83%
CVE-2024-24784	High/7.5, 0.04%
CVE-2023-24536	High/7.5, 0.82%
CVE-2023-24534	High/7.5, 0.35%
CVE-2023-39325	High/7.5, 0.36%
CVE-2023-24537	High/7.5, 0.17%
CVE-2023-45283	High/7.5, 0.17%
CVE-2022-41723	High/7.5, 4.18%
CVE-2022-41722	High/7.5, 0.17%
CVE-2023-44487	High/7.5, 83.78%
CVE-2022-41725	High/7.5, 0.21%
CVE-2023-29400	High/7.3, 0.15%
CVE-2023-29403	High/7.8, 0.09%
CVE-2023-24539	High/7.3, 0.15%
CVE-2022-41724	High/7.5, 0.2%
CVE-2024-24791	High/7.5, 0.04%
CVE-2023-45287	High/7.5, 0.08%
CVE-2023-39323	High/8.1, 0.38%
CVE-2023-45285	High/7.5, 0.07%
CVE-2024-34156	High/7.5, 0.04%
CVE-2023-45288	High/7.5, 0.04%
CVE-2024-34158	High/7.5, 0.04%

[Link-]

Spam.

[sblatnick]

Definitely not spam! I scanned it using Trivy, and it said all these things were a problem. If they are false positives, please let me know.

[Link-]

Sorry @sblatnick - I didn't find how these apply to this code. Could you run the scan again and share with me the results after this latest release?

Also, it would be great if the scans show the line numbers & code references that flagged these issues.

[sblatnick]

Thanks! I'll try to dig up the details.

[sblatnick]

These results came from scanning an image. All results are in a binary file, so giving the line number is not really possible.

The file is ~/.local/share/gh/extensions/gh-token/gh-token

Findings come from either Trivy or Grype scans.

I am pretty busy today, so further details may have to wait until later this week. I hope this helps.

[Link-]

Hmm.. I already have codeql running on the source & it has not flagged any issues 🤔 what this extension does is pretty straight forward so I'm not overly concerned. When you have information I can act on, I'll take a look and see what's reasonable to deal with.

[sblatnick]

I see that you updated Go from 1.20 to 1.23.4 on Jan 11, which actually remediated the majority of these findings. There are only 2 remaining. Both appear to be waiting on Go to fix. Once available, you should be able to remediate by simply updating your go.mod to the patched/fixed version.

Here are the remaining findings (output from our tooling):

CVE-2023-45287

Description
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

Artifacts
This vulnerability was discovered in the following artifacts.

Type	Name	Version	False Positive	File Path
Go Library	stdlib	v1.18.10	No	/root/.local/share/gh/extensions/gh-token/gh-token

More Details

• https://staff.apps-staging.va.gov/flexline/containers/repositories/findings/52451323
• https://avd.aquasec.com/nvd/cve-2023-45287
• https://access.redhat.com/errata/RHSA-2024:2272
• https://access.redhat.com/security/cve/CVE-2023-45287
• https://bugzilla.redhat.com/2253193
• https://bugzilla.redhat.com/2253330
• https://errata.almalinux.org/9/ALSA-2024-2272.html
• https://go.dev/cl/326012/26
• https://go.dev/issue/20654
• https://groups.google.com/g/golang-announce/c/QMK8IQALDvA
• https://linux.oracle.com/cve/CVE-2023-45287.html
• https://linux.oracle.com/errata/ELSA-2024-2988.html
• https://nvd.nist.gov/vuln/detail/CVE-2023-45287
• https://people.redhat.com/~hkario/marvin
• https://pkg.go.dev/vuln/GO-2023-2375
• https://security.netapp.com/advisory/ntap-20240112-0005/
• https://www.cve.org/CVERecord?id=CVE-2023-45287

CVE-2023-44487

Description
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Artifacts
This vulnerability was discovered in the following artifacts.

Type	Name	Version	False Positive	File Path
Go Library	stdlib	go1.18.10	No	/root/.local/share/gh/extensions/gh-token/gh-token

More Details

• https://staff.apps-staging.va.gov/flexline/containers/repositories/findings/52451359
• https://nvd.nist.gov/vuln/detail/CVE-2023-44487
• http://www.openwall.com/lists/oss-security/2023/10/13/4
• http://www.openwall.com/lists/oss-security/2023/10/13/9
• http://www.openwall.com/lists/oss-security/2023/10/18/4
• http://www.openwall.com/lists/oss-security/2023/10/18/8
• http://www.openwall.com/lists/oss-security/2023/10/19/6
• http://www.openwall.com/lists/oss-security/2023/10/20/8
• https://access.redhat.com/security/cve/cve-2023-44487
• https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
• https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
• https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
• https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
• https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
• https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
• https://blog.vespa.ai/cve-2023-44487/
• https://bugzilla.proxmox.com/show_bug.cgi?id=4988
• https://bugzilla.redhat.com/show_bug.cgi?id=2242803
• https://bugzilla.suse.com/show_bug.cgi?id=1216123
• https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
• https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
• https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack