core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon datarhei

#30 Update golang and libraries to resolve CVE

Open nathanlaceyraft opened this issue 7 months ago • 0 comments

Following PR will resolve https://github.com/datarhei/core/issues/30

datarhei/restreamer has CVE's because of core

CVE's in core found by doing govulncheck ./...

=== Symbol Results ===

Vulnerability #1: GO-2025-3595 Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2025-3595 Module: golang.org/x/net Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected]

Vulnerability #2: GO-2025-3553 Excessive memory allocation during header parsing in github.com/golang-jwt/jwt More info: https://pkg.go.dev/vuln/GO-2025-3553 Module: github.com/golang-jwt/jwt Found in: github.com/golang-jwt/[email protected]+incompatible Fixed in: N/A Example traces found: #1: http/middleware/session/HLS.go:20:2: session.init calls middleware.init, which calls jwt.init

Module: github.com/golang-jwt/jwt/v4 Found in: github.com/golang-jwt/jwt/[email protected] Fixed in: github.com/golang-jwt/jwt/[email protected] Example traces found: #1: http/server.go:402:20: http.server.ServeHTTP calls echo.Echo.ServeHTTP, which eventually calls jwt.Parser.ParseUnverified

Module: github.com/golang-jwt/jwt/v5 Found in: github.com/golang-jwt/jwt/[email protected] Fixed in: github.com/golang-jwt/jwt/[email protected] Example traces found: #1: http/jwt/validator.go:114:36: jwt.auth0Validator.Validate calls jwt.Parser.ParseUnverified

Vulnerability #3: GO-2024-3250 Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt More info: https://pkg.go.dev/vuln/GO-2024-3250 Module: github.com/golang-jwt/jwt/v4 Found in: github.com/golang-jwt/jwt/[email protected] Fixed in: github.com/golang-jwt/jwt/[email protected] Example traces found: #1: http/server.go:402:20: http.server.ServeHTTP calls echo.Echo.ServeHTTP, which eventually calls jwt.ParseWithClaims

Vulnerability #4: GO-2024-2920 Denial of service vulnerability via the parseDirectives function in github.com/vektah/gqlparser More info: https://pkg.go.dev/vuln/GO-2024-2920 Module: github.com/vektah/gqlparser/v2 Found in: github.com/vektah/gqlparser/[email protected] Fixed in: github.com/vektah/gqlparser/[email protected] Example traces found: #1: http/handler/api/graph.go:46:26: api.GraphHandler.Query calls handler.Server.ServeHTTP, which eventually calls parser.ParseQuery #2: http/graph/graph/graph.go:1832:44: graph.init calls gqlparser.MustLoadSchema, which eventually calls parser.ParseSchemas

Steps to repoduce creating this PR update to new golang 1.24.3 (if not already there)

go get github.com/golang-jwt/jwt/v4

go get github.com/vektah/gqlparser/v2

go get golang.org/x/net

go get github.com/labstack/echo-jwt

go get github.com/golang-jwt/jwt/v5

go get github.com/labstack/echo/v4 //resolves the github.com/golang-jwt/[email protected] reference

Because of breaking changes in echo/v4, I had to make a fix to http/jwt/jwt.go

go mod tidy go mod vendor

govulncheck ./... should now show no CVE's

I also update the .github files and the Dockerfiles to update to newest golang version 1.24.3 Note the adding of @sha256:b4f875e650466fa0fe62c6fd3f02517a392123eea85f1d7e69d85f780e4db1c1 within the image definition. If dockerhub ever received a supply chain attack, corrupting the base images, the hash would prevent you from releasing a images.

Once you build the docker image, you can recheck for CVE's using trivy trivy image --scanners vuln --ignore-unfixed local:core

trivy will now show 0 CVE's

thanks for your consideration

nathanlaceyraft avatar Jun 03 '25 18:06 nathanlaceyraft