From 676e4f91575afc8eb9f94c7ee99e55ba7c9017e6 Mon Sep 17 00:00:00 2001 From: Adar-Checkmarx Date: Sun, 8 Mar 2026 14:30:10 +0200 Subject: [PATCH] Fix 10 security vulnerabilities (AST-108828, AST-116271, AST-120967, AST-123298, AST-123300, AST-123302, AST-123980, AST-123981, AST-132239, AST-134898) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace directives added/updated for 8 CVEs: - containerd/v2 v2.1.4 → v2.1.5 (CVE-2024-25621, CVE-2025-64329) - OPA v0.70.0 → v1.14.0 (CVE-2025-46569) - go-git/v5 v5.14.0 → v5.16.5 (CVE-2026-25934) - sigstore v1.8.15 → v1.10.4 (CVE-2026-24137) - runc v1.2.3 → v1.3.3 (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) [existing] .trivyignore added for 2 unfixable CVEs: - CVE-2019-25210 (Helm WONTFIX - we don't use --dry-run) - CVE-2025-27144 (go-jose v2 - no v2 patch, transitive from k8s) Made-with: Cursor --- .trivyignore | 13 ++++ VULNERABILITY_FIXES.md | 133 ----------------------------------------- go.mod | 5 +- go.sum | 4 +- 4 files changed, 19 insertions(+), 136 deletions(-) create mode 100644 .trivyignore delete mode 100644 VULNERABILITY_FIXES.md diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..b91b1e9 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,13 @@ +# CVE-2019-25210: Helm displays secret values with --dry-run flag. +# WONTFIX by Helm maintainers — this is expected behavior by design. +# We do not use the --dry-run flag with helm in this project. +# Ref: https://nvd.nist.gov/vuln/detail/CVE-2019-25210 +CVE-2019-25210 + +# CVE-2025-27144: DoS in go-jose v2 parsing (excessive memory via crafted JWT). +# Transitive dependency from k8s.io/apiserver — no v2 patch exists (only v3/v4 patched). +# This module does NOT use go-jose v2: `go mod why -m` confirms it is not needed. +# It only appears in the module graph because k8s.io/apiserver lists it in its go.mod. +# The vulnerable code is never compiled into our binary. +# Ref: https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78 +CVE-2025-27144 diff --git a/VULNERABILITY_FIXES.md b/VULNERABILITY_FIXES.md deleted file mode 100644 index 5f7a115..0000000 --- a/VULNERABILITY_FIXES.md +++ /dev/null @@ -1,133 +0,0 @@ -# Vulnerability Fixes Summary - -## Date: 2026-01-07 - -### Overview -This document summarizes the status of the reported vulnerabilities and the actions taken to mitigate them. - ---- - -## ✅ FIXED Vulnerabilities - -### 1. CVE-2025-64329 - containerd/v2 -- **Package**: `github.com/containerd/containerd/v2` -- **Previous Version**: v2.1.2 -- **Fixed Version**: v2.1.4 -- **Status**: ✅ **FIXED** -- **Action**: Updated via `go get github.com/containerd/containerd/v2@v2.1.4` - -### 2. CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 - runc -- **Package**: `github.com/opencontainers/runc` -- **Previous Version**: v1.2.3 -- **Fixed Version**: v1.3.3 -- **Status**: ✅ **FIXED** -- **CVEs Addressed**: - - CVE-2025-31133: Container escape vulnerability - - CVE-2025-52565: Container escape with malicious config - - CVE-2025-52881: Container breakout vulnerability -- **Action**: Updated via `go get github.com/opencontainers/runc@v1.3.3` -- **Reference**: https://github.com/opencontainers/runc/releases - ---- - -## ⚠️ WONTFIX / Accepted Risk - -### 3. CVE-2019-25210 - Helm -- **Package**: `helm.sh/helm/v3` -- **Current Version**: v3.19.2 -- **Status**: ⚠️ **WONTFIX - Design Decision** -- **Description**: Helm displays values of secrets when the `--dry-run` flag is used -- **Why Not Fixed**: - - This is **expected behavior** by Helm maintainers, not a bug - - When using `--dry-run`, Helm renders templates to show what would be deployed, which includes secret values - - The Helm project has marked this as **WONTFIX** as it's considered a documentation/design issue - - Affects **all versions** of Helm v3 - no version is immune -- **Risk Assessment**: **LOW** - - Requires local CLI access to exploit - - Not a remote vulnerability - - Users explicitly requesting `--dry-run` output should expect to see rendered values -- **Recommendation**: Accept the risk and add to scanner exclusion list -- **Reference**: https://nvd.nist.gov/vuln/detail/cve-2019-25210 - ---- - -## ⚠️ PARTIALLY MITIGATED Vulnerability - -### 4. CVE-2025-27144 - go-jose -- **Package**: `gopkg.in/go-jose/go-jose.v2` -- **Current Version**: v2.6.3 -- **Status**: ⚠️ **TRANSITIVE DEPENDENCY - AWAITING UPSTREAM FIX** -- **Description**: DoS vulnerability in go-jose parsing (excessive memory usage) -- **Root Cause**: This is a transitive dependency pulled in by `k8s.io/apiserver@v0.34.0` -- **Mitigation Status**: - - ✅ Direct dependencies use fixed versions: - - `github.com/go-jose/go-jose/v3@v3.0.4` (fixes CVE-2025-27144) - - `github.com/go-jose/go-jose/v4@v4.0.5` (fixes CVE-2025-27144) - - ⚠️ Transitive dependency `gopkg.in/go-jose/go-jose.v2@v2.6.3` remains due to k8s.io/apiserver -- **Upstream Status**: - - Kubernetes is aware of this issue (see https://github.com/kubernetes/kubernetes/issues/123252) - - Migration to go-jose v4 is in progress but not yet complete -- **Recommended Action**: - - Monitor Kubernetes releases for updates to k8s.io/apiserver that remove the v2 dependency - - Consider updating k8s.io/apiserver when a version with the fix is available - - The vulnerability has limited impact as it requires specific attack conditions - ---- - -## Verification - -### Build Status -```bash -go build ./... -``` -✅ **PASSED** - All packages build successfully - -### Dependency Verification -```bash -go list -m all | grep -E "helm.sh/helm|containerd/containerd/v2|opencontainers/runc|go-jose" -``` - -**Current Versions**: -- `github.com/containerd/containerd/v2 v2.1.2 => v2.1.4` ✅ (via replace directive) -- `github.com/go-jose/go-jose/v3 v3.0.4` ✅ -- `github.com/go-jose/go-jose/v4 v4.0.5` ✅ -- `github.com/opencontainers/runc v1.2.3 => v1.3.3` ✅ (via replace directive) -- `gopkg.in/go-jose/go-jose.v2 v2.6.3` ⚠️ (transitive) -- `helm.sh/helm/v3 v3.19.2` (CVE-2019-25210 is WONTFIX by upstream) - -**Replace Directives Added**: -The following replace directives were added to `go.mod` to force the use of fixed versions: -```go -replace ( - google.golang.org/protobuf => google.golang.org/protobuf v1.33.0 - github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.4 - github.com/opencontainers/runc => github.com/opencontainers/runc v1.3.3 -) -``` - -These replace directives override the versions pulled in by `github.com/Microsoft/hcsshim` which was using the vulnerable versions. - ---- - -## Summary - -**Total Vulnerabilities**: 6 CVEs across 4 packages -- **Fixed**: 4 CVEs (67%) - containerd, runc (3 CVEs) -- **WONTFIX/Accepted**: 1 CVE (17%) - Helm CVE-2019-25210 (design decision) -- **Awaiting Upstream Fix**: 1 CVE (17%) - go-jose v2 - -**Risk Assessment**: -- **High Priority Fixes**: All completed ✅ - - Container escape vulnerabilities (runc) - FIXED - - Containerd vulnerability - FIXED -- **Accepted Risk**: - - Helm CVE-2019-25210 - WONTFIX by upstream, low severity, not exploitable remotely -- **Low Priority**: 1 remaining - - go-jose DoS (transitive dependency, limited impact) - Awaiting upstream fix - -**Next Steps**: -1. Monitor k8s.io/apiserver releases for go-jose v4 migration -2. Update k8s.io/apiserver when a fixed version is available -3. Continue monitoring security advisories for all dependencies -4. Add CVE-2019-25210 to scanner exclusion list with documented rationale - diff --git a/go.mod b/go.mod index 8773b91..3e21c1c 100644 --- a/go.mod +++ b/go.mod @@ -287,7 +287,10 @@ require ( ) replace ( - github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.4 + github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.5 + github.com/go-git/go-git/v5 => github.com/go-git/go-git/v5 v5.16.5 + github.com/open-policy-agent/opa => github.com/open-policy-agent/opa v1.14.0 github.com/opencontainers/runc => github.com/opencontainers/runc v1.3.3 + github.com/sigstore/sigstore => github.com/sigstore/sigstore v1.10.4 google.golang.org/protobuf => google.golang.org/protobuf v1.33.0 ) diff --git a/go.sum b/go.sum index 097f6e2..2a33eed 100644 --- a/go.sum +++ b/go.sum @@ -366,8 +366,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.14.0 h1:/MD3lCrGjCen5WfEAzKg00MJJffKhC8gzS80ycmCi60= -github.com/go-git/go-git/v5 v5.14.0/go.mod h1:Z5Xhoia5PcWA3NF8vRLURn9E5FRhSl7dGj9ItW3Wk5k= +github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s= +github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=