Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Horusec report about vulnerabilities #13791

Open
ErnestK opened this issue Mar 22, 2024 · 5 comments 路 May be fixed by #13942 or #14024
Open

Horusec report about vulnerabilities #13791

ErnestK opened this issue Mar 22, 2024 · 5 comments 路 May be fixed by #13942 or #14024

Comments

@ErnestK
Copy link

ErnestK commented Mar 22, 2024

馃拵 Issue

Description

Hello,

I've been considering participating in the project and contributing. My attention was drawn to this task, #9975.

I ran horusec-beta on prysm, and the result was a bit different than I expected.

==================================================================================

In this analysis, a total of 60 possible vulnerabilities were found and we classified them into:
Total of Vulnerability CRITICAL is: 18
Total of Vulnerability HIGH is: 22
Total of Vulnerability MEDIUM is: 16
Total of Vulnerability LOW is: 4

==================================================================================

Most vulnerabilities are related to library versions, but they can be fixed.

Are library updates covered by tests?
Should I take on this task?

ps
report attached below

horusec_report.json
@prestonvanloon
Copy link
Member

gm @ErnestK, thanks for this report. I think there are some opportunities here to grab the low hanging fruit.

  • Dependency updates that don't require major code changes in Prysm
  • Adding horusec exclusions for things that are not really issues. (Is there a way to tell horusec to ignore a particular violation? i.e. // horusec: ignore HS-LEAKS-26 )

To make things easier for review, I recommend sending multiple PRs to resolve the issues. I.e. send all minor dependency updates in one PR, any exclusions in another PR, any individual fixes in their own PRs. This makes review easier and makes maintainer bug hunting easier as we could review better scoped commits for issues.

@prestonvanloon
Copy link
Member

@ErnestK are you interested in submitting a PR to resolve some of these reported issues?

@ErnestK
Copy link
Author

ErnestK commented Apr 9, 2024
edited

@prestonvanloon Yes, I will analyze all the issues and endeavor to work on this task.
It would be great to include Horusec in the CI process.

@ErnestK ErnestK mentioned this issue Apr 25, 2024
Closed
@ErnestK
Copy link
Author

ErnestK commented Apr 25, 2024

@prestonvanloon
I created the first small pull request (PR) with updates to two gems that require no additional work.
Now I'm working on addressing the vulnerabilities from the list, starting with the smallest issues and progressing to the larger ones.

@ErnestK
Copy link
Author

ErnestK commented Apr 25, 2024
edited

I have sorted all vulnerabilities, eliminated duplicates, and ranked them

  1. Easiest Updates (Simple Updates):

    • Refactoring in docker files, fixing MissConfiguration Horusec: fix docker misconfiguration聽#13942
    • Update github.com/microcosm-cc/bluemonday from v1.0.1 to v1.0.5 (Minor version increment - patch update), likely straightforward with minimal changes.
    • Update github.com/nats-io/jwt from v0.3.2 to v2.0.1 (Major version jump), but update might be manageable if backward compatibility is maintained.
    • Update github.com/dgrijalva/jwt-go from v3.2.0 to 4.0.0-preview1
    • Update github.com/go-yaml/yaml from v2.1.0 to v2.2.4
    • Update google.golang.org/protobuf from v1.32.0 to v1.33.0 (Incremental version change - minor update), typically safe with minimal impact. Horusec-13791: update protobuf to 1.33 secure version聽#14024
    • Update golang.org/x/net from v0.21.0 to v0.23.0 (Incremental version change - minor update), may require compatibility checks but generally straightforward. Horusec: bump protobuf and net package聽#13912

  2. Moderate Updates (Intermediate Updates):

    • Update github.com/aws/aws-sdk-go from v1.27.0 to v1.34.0 (Moderate version increment - minor update), potentially introducing new features or adjustments.
    • Update github.com/nats-io/nats-server/v2 from v2.1.2 to v2.7.2 (Incremental version change - minor update), possibly including enhancements or bug fixes.
    • Update github.com/buger/jsonparser from v0.0.0-20181115193947-bf1c66bbce23 to v1.1.1 (Major version transition - breaking change), may require code adjustments and thorough testing.

  3. Complex Updates (Challenging Updates):

    • Update go.etcd.io/etcd from v0.0.0-20191023171146-3cf2f69b5738 to v3.4.10 (Major version jump - breaking change), likely involving significant updates and compatibility considerations.
    • Update github.com/elazarl/goproxy from v0.0.0-20180725130230-947c36da3153 to v0.0.0-20230731152917-f99041a5c027 (Major version transition - breaking change), potentially requiring substantial refactoring.
    • Update github.com/labstack/echo/v4 from v4.2.1 to v4.9.0 (Incremental version change - minor update), may introduce new features or adjustments.
    • Update github.com/emicklei/go-restful from v0.0.0-20170410110728-ff4f55a20633 to v2.16.0 (Major version jump - breaking change), likely requiring significant code updates and testing.

  4. Putting it All Together:

    • Configure the tool to ignore false positives (such as passwords in tests).
    • Enable Horusec in CI (Continuous Integration).

@ErnestK ErnestK linked a pull request Apr 30, 2024 that will close this issue
Open
@ErnestK ErnestK linked a pull request May 19, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@ErnestK @prestonvanloon