DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

golang: checker doesn't take into account replace directives

Open tyaps opened this issue 4 years ago • 6 comments
trafficstars

Describe the bug For golang projects checker doesn't take into account "replace" directives in go.mod.

Version of dependency-check used 6.1.5

To Reproduce Steps to reproduce the behavior:

  1. Create test golang project with dependency on github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 in go.mod file.
  2. Run checker. CVE-2017-7860 issue exists in report. As expected.
  3. Update github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 to github.com/grpc-ecosystem/go-grpc-middleware v1.2.2 in "require" section of go.mod
  4. Run checker. CVE-2017-7860 issue doesn't exist. As expected.
  5. Change github.com/grpc-ecosystem/go-grpc-middleware v1.2.2 back to github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 in "require" section of go.mod
  6. Run checker. CVE-2017-7860 issue exists in report. As expected
  7. Add "replace" directive: replace github.com/grpc-ecosystem/go-grpc-middleware => github.com/grpc-ecosystem/go-grpc-middleware v1.2.2
  8. Run checker. CVE-2017-7860 issue STILL exists in report, but should not. This shows that checker doesn't take into account "replace" directives and checks 1.0.0 version instead of 1.2.2.

Test project (branches for each case with reports): https://github.com/Exalax/depcheck-replace-issue/tree/master - go-grpc-middleware 1.0.0 (base state) https://github.com/Exalax/depcheck-replace-issue/tree/upgrade - go-grpc-middleware 1.2.2 (upgrade via require section) https://github.com/Exalax/depcheck-replace-issue/tree/replace - go-grpc-middleware 1.2.2 (upgrade via replace section)

Expected behavior When go.mod file has "replace" directives which updates dependency version, checker must check these updated dependencies. Instead of it, checker still checks dependencies from "require" go.mod section

tyaps avatar Apr 22 '21 08:04 tyaps

@jeremylong I believe this was solved in #2904, right ?

Joseph94m avatar May 10 '21 12:05 Joseph94m

Observe the same behavior in version 6.2.2.

sorx00 avatar Aug 09 '21 08:08 sorx00

Can someone provide a project that is failing to honor the replace directive? The PR provided did include an example - but obviously there is something else going on. As such, we would need a go project to test against.

jeremylong avatar Aug 09 '21 11:08 jeremylong

I have a project I've been testing dependency-check against this morning that shows the problem, you can see it in the replace branch of https://github.com/udkyo/deps-go

What I'm attempting to do is replace gogo/protobuf in go.mod with v1.3.2. This appears to be going well according to go.sum, and go list does indeed show the replacement:

$ go list -json -m all | jq 'select(.Path=="github.com/gogo/protobuf")'
{
  "Path": "github.com/gogo/protobuf",
  "Version": "v1.3.1",
  "Replace": {
    "Path": "github.com/gogo/protobuf",
    "Version": "v1.3.2",
    "Time": "2021-01-10T08:01:47Z",
    "GoMod": "[...]/pkg/mod/cache/download/github.com/gogo/protobuf/@v/v1.3.2.mod",
    "GoVersion": "1.15"
  },
  "Indirect": true,
  "GoMod": "[...]/pkg/mod/cache/download/github.com/gogo/protobuf/@v/v1.3.2.mod",
  "GoVersion": "1.15"
}

However dependency-check (6.5.3) is only showing me results for 1.3.1 (with no mention of replacements anywhere in the output):

{
    "isVirtual" : true,
    "fileName" : "github.com/gogo/protobuf:1.3.1",
    "filePath" : "/src/go.mod:github.com/gogo/protobuf/1.3.1",
    "evidenceCollected" : {
      "vendorEvidence" : [ {
        "type" : "vendor",
        "confidence" : "HIGH",
        "source" : "go.mod",
        "name" : "name",
        "value" : "protobuf"
      }, {
        "type" : "vendor",
        "confidence" : "LOW",
        "source" : "go.mod",
        "name" : "namespace",
        "value" : "github.com"
      }, {
        "type" : "vendor",
        "confidence" : "HIGHEST",
        "source" : "go.mod",
        "name" : "vendor",
        "value" : "gogo"
      } ],
      "productEvidence" : [ {
        "type" : "product",
        "confidence" : "HIGHEST",
        "source" : "go.mod",
        "name" : "name",
        "value" : "protobuf"
      }, {
        "type" : "product",
        "confidence" : "MEDIUM",
        "source" : "go.mod",
        "name" : "vendor",
        "value" : "gogo"
      } ],
      "versionEvidence" : [ {
        "type" : "version",
        "confidence" : "HIGHEST",
        "source" : "go.mod",
        "name" : "version",
        "value" : "1.3.1"
      } ]
    },
    "packages" : [ {
      "id" : "pkg:golang/github.com/gogo/[email protected]",
      "confidence" : "HIGHEST",
      "url" : "https://ossindex.sonatype.org/component/pkg:golang/github.com/gogo/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=6.5.3"
    } ],
    "vulnerabilities" : [ {
      "source" : "OSSINDEX",
      "name" : "CVE-2021-3121",
      "severity" : "CRITICAL",
      "cvssv3" : {
        "baseScore" : 9.8,
        "attackVector" : "N",
        "attackComplexity" : "L",
        "privilegesRequired" : "N",
        "userInteraction" : "N",
        "scope" : "U",
        "confidentialityImpact" : "H",
        "integrityImpact" : "H",
        "availabilityImpact" : "H",
        "baseSeverity" : "CRITICAL"
      },
      "cwes" : [ ],
      "description" : "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.",
      "notes" : "",
      "references" : [ {
        "source" : "OSSINDEX",
        "url" : "https://ossindex.sonatype.org/vulnerability/dcf6da03-f9dd-4a4e-b792-0262de36a0b1?component-type=golang&component-name=github.com%2Fgogo%2Fprotobuf&utm_source=dependency-check&utm_medium=integration&utm_content=6.5.3",
        "name" : "[CVE-2021-3121] An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarsha..."
      }, {
        "source" : "OSSIndex",
        "url" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3121",
        "name" : "https://nvd.nist.gov/vuln/detail/CVE-2021-3121"
      } ],
      "vulnerableSoftware" : [ {
        "software" : {
          "id" : "cpe:2.3:a:github.com\\/gogo:protobuf:1.3.1:*:*:*:*:*:*:*",
          "vulnerabilityIdMatched" : "true"
        }
      } ]
    } ]
  }

udkyo avatar Jan 18 '22 13:01 udkyo

Encountered the problem again on Dependency Check v7.0.0. My test module to check (go.mod):

module go-replace-test

require github.com/prometheus/common v0.26.0

// Fix CVE-2022-21698
replace github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.11.1

go 1.17

❯ go list -json -m all | jq 'select(.Path=="github.com/prometheus/client_golang")'

{
  "Path": "github.com/prometheus/client_golang",
  "Version": "v1.7.1",
  "Replace": {
    "Path": "github.com/prometheus/client_golang",
    "Version": "v1.11.1",
    "Time": "2022-02-15T10:38:19Z",
    "GoMod": "/home/sklyarovr/go/pkg/mod/cache/download/github.com/prometheus/client_golang/@v/v1.11.1.mod",
    "GoVersion": "1.13"
  },
  "Indirect": true,
  "GoMod": "/home/sklyarovr/go/pkg/mod/cache/download/github.com/prometheus/client_golang/@v/v1.11.1.mod",
  "GoVersion": "1.13"
}

Scanning results in the attached file: dependency-check.log

sorx00 avatar Mar 14 '22 15:03 sorx00

Hello, @jeremylong. Is there any news on this bug?

sorx00 avatar Sep 15 '22 11:09 sorx00