Update some dependencies to resolve vulnerabilities (!4453) · Merge requests · GitLab.org / gitlab-runner

Axel von Bertoldi requested to merge avonbertoldi/36975/runner-vulnerabilities into main Nov 07, 2023
#36975 (closed), via a trivy scan, reports a number of vulnerabilities with runner; actually runner itself, not 3rd party applications bundled into images, but runner itself!!!
> trivy fs .
2023-11-07T10:55:48.923-0700	INFO	Vulnerability scanning is enabled
2023-11-07T10:55:48.923-0700	INFO	Secret scanning is enabled
2023-11-07T10:55:48.923-0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-07T10:55:48.923-0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2023-11-07T10:55:50.496-0700	INFO	Number of language-specific files: 1
2023-11-07T10:55:50.496-0700	INFO	Detecting gomod vulnerabilities...

go.mod (gomod)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 3, CRITICAL: 0)

┌────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │    Vulnerability    │ Severity │ Status │         Installed Version         │           Fixed Version           │                            Title                             │
├────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/docker   │ GHSA-jq35-85cj-fj4p │ MEDIUM   │ fixed  │ 24.0.5+incompatible               │ 24.0.7                            │ /sys/devices/virtual/powercap accessible by default to       │
│                            │                     │          │        │                                   │                                   │ containers                                                   │
│                            │                     │          │        │                                   │                                   │ https://github.com/advisories/GHSA-jq35-85cj-fj4p            │
├────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/elazarl/goproxy │ CVE-2023-37788      │ HIGH     │        │ 0.0.0-20191011121108-aa519ddbe484 │ 0.0.0-20230731152917-f99041a5c027 │ Denial of service (DoS) via unspecified vectors.             │
│                            │                     │          │        │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2023-37788                   │
├────────────────────────────┼─────────────────────┤          │        ├───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net           │ CVE-2023-39325      │          │        │ 0.13.0                            │ 0.17.0                            │ rapid stream resets can cause excessive work                 │
│                            │                     │          │        │                                   │                                   │ (CVE-2023-44487)                                             │
│                            │                     │          │        │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                            ├─────────────────────┼──────────┤        │                                   │                                   ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-44487      │ MEDIUM   │        │                                   │                                   │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                            │                     │          │        │                                   │                                   │ attack (Rapid...                                             │
│                            │                     │          │        │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc     │ GHSA-m425-mq94-257g │ HIGH     │        │ 1.57.0                            │ 1.56.3, 1.57.1, 1.58.3            │ gRPC-Go HTTP/2 Rapid Reset vulnerability                     │
│                            │                     │          │        │                                   │                                   │ https://github.com/advisories/GHSA-m425-mq94-257g            │
│                            ├─────────────────────┼──────────┤        │                                   ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-44487      │ MEDIUM   │        │                                   │ 1.58.3, 1.57.1, 1.56.3            │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                            │                     │          │        │                                   │                                   │ attack (Rapid...                                             │
│                            │                     │          │        │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘

helpers/ssh/stub_ssh_server.go (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 helpers/ssh/stub_ssh_server.go:44
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  42   	PrivateKey string
  43   }{
  44 [ 	PrivateKey: `...`,
  45   	PublicKey: `ssh-rsa ...`,
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
All but one of the vulnerabilities are in libraries, and the one reported vulnerability in our code is in a test file, so we can ignore that one.
Addressing the vulnerabilities is a simple as running: go get -u github.com/docker/docker github.com/elazarl/goproxy google.golang.org/grpc && go mod tidy
Edited Nov 07, 2023 by Axel von Bertoldi
Update some dependencies to resolve vulnerabilities

Merge request reports
