cdk-notifier icon indicating copy to clipboard operation
cdk-notifier copied to clipboard

Published 20 hours ago verified publisher icon karlderkaefer

Critical vulnerability for package golang.org/x/crypto found in latest version of cdk-notifier.

Open passbt opened this issue 10 months ago • 5 comments

Hello, I'm installing the latest version, v2.13.5, of cdk-notifier and Trivy is detecting a critical vulnerability for golang.org/x/crypto, v0.16.0, package that is present packaged in cdk-notifier. When do you anticipate your Renovate bot will get this patched? I didn't see mention of it on your issue dashboard. The fix is in v0.31.0 of the crypto package. Here is a link to the Go vulnerability report: https://pkg.go.dev/vuln/GO-2024-3321.

Thank you!

passbt avatar Jan 03 '25 20:01 passbt

I can confirm the vulnerability is listed in dependabot alerts. This is due to the fact that the PR for updating the gitlab client failed #117 thanks for raising the issue. I can check tomorrow

karlderkaefer avatar Jan 04 '25 02:01 karlderkaefer

@passbt I updated all dependencies to latest see #171 It has resolved 2 out 3 security alerts. However the problem with x/crypto stays, since sprig module is still using old x/crypto version . Can you create also create a github issue there?

go mod graph | grep golang.org/x/crypto
github.com/karlderkaefer/cdk-notifier golang.org/x/[email protected]
github.com/Masterminds/sprig/[email protected] golang.org/x/[email protected]
github.com/spf13/[email protected] golang.org/x/[email protected]
github.com/spf13/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]

karlderkaefer avatar Jan 04 '25 14:01 karlderkaefer

I have a PR ready in case the upstream request takes too long https://github.com/karlderkaefer/cdk-notifier/pull/186 but it would be better to fix it upstream.

karlderkaefer avatar Jan 04 '25 14:01 karlderkaefer

I agree.

passbt avatar Jan 04 '25 17:01 passbt

I have a PR ready in case the upstream request takes too long #186 but it would be better to fix it upstream.

I'm not sure how long you wanted to give them, but are you opened to moving forward with your PR? If I remember right, they only review changes a few times a year in the upstream project.

passbt avatar Feb 03 '25 18:02 passbt

sure I will test it and release it this weekend, sorry I only get notified about mentions.

karlderkaefer avatar Feb 21 '25 17:02 karlderkaefer

@passbt if you wonder why this had no priority on sprig repository, the vulnerability GO-2024-3321 is in the SSH subpackage (specifically, the PublicKeyCallback caching behavior in golang.org/x/crypto/ssh). Sprig’s crypto functions only import and use bcrypt and scrypt (and a few other non‑SSH parts). So actually sprig and including cdk-notifier was not affected by this critical vulnerability. Although it is not required I will merge it, just to calm any secops teams that might complain :) It has been tested, and the version upgrade does not affect cdk-notifier

karlderkaefer avatar Feb 21 '25 18:02 karlderkaefer

security vulnerability is fixed

Image

karlderkaefer avatar Feb 21 '25 19:02 karlderkaefer