go-graphviz icon indicating copy to clipboard operation
go-graphviz copied to clipboard

Graphviz Update?

Open lespea opened this issue 3 years ago • 13 comments

One of our internal scanning tools identified the following CVEs present in the included graphviz library: CVE-2019-9904 & CVE-2019-11023. I haven't validated those but I do believe the library is a handful of version behind anyway... not sure how much work it is updating the library code?

lespea avatar Apr 21 '21 16:04 lespea

Indeed, this looks like a valid question. Can we update Graphviz? It currently looks like the Graphviz source and GO source are intermingled. Can we do this differently?

Vithanco avatar Nov 28 '21 17:11 Vithanco

Do me a favor. I have the same problem

xFurther avatar Nov 29 '21 09:11 xFurther

Btw, this looks like a really great library. The description sounds like this is my dream. So, this wasn't meant as criticism. I am more interested whether it makes sense to get involved... Hence my request. Can we create this maybe as a fork of Graphviz itself? With the sources of this library as true extension of this fork? I noticed that Graphviz got some maintainers and is picking up speed.

Or any better idea?

I am willing to add some hours to that endeavour as well, but only started learning Go, so I would need help.

Vithanco avatar Nov 29 '21 09:11 Vithanco

I'll prepare a mechanism to easily update the C source of Graphviz. For example, use the following command ( make update/graphviz/{version})

make update/graphviz/2.40.1

goccy avatar Nov 29 '21 12:11 goccy

this sounds fantastic!

Vithanco avatar Nov 29 '21 12:11 Vithanco

I'll prepare a mechanism to easily update the C source of Graphviz. For example, use the following command ( make update/graphviz/{version})

make update/graphviz/2.40.1

I finally got you. You are the god of salvation. This is a moment to celebrate!

xFurther avatar Nov 30 '21 01:11 xFurther

Did you ever try to compile towards WebAssembly?

Vithanco avatar Dec 01 '21 04:12 Vithanco

I assume WebAssembly doesn't work: imports github.com/goccy/go-graphviz/internal/ccall: build constraints exclude all Go files in ${MyPATH}/pkg/mod/github.com/goccy/[email protected]/internal/ccall

Vithanco avatar Dec 01 '21 12:12 Vithanco

Any updates on this?

TimJJTing avatar Jan 26 '22 10:01 TimJJTing

@Vithanco did you end-up having a functioning fork with updated upstream graphviz?

spacedub avatar Oct 17 '22 18:10 spacedub

Sorry, after some further consideration did I choose JavaScript over Go. But I still thinking this is a great library.

Thanks for the follow up & good luck!

Vithanco avatar Oct 18 '22 05:10 Vithanco

@goccy would love to see this happen - and of course happy to help if you can provide some pointers.

spacedub avatar Oct 20 '22 03:10 spacedub

The "Mend" tool complains about three CVEs in the embedded version of GraphViz. Consider replacing the current GraphViz source with newer source. I looked up Mend's complaints, here they are:

  • https://www.mend.io/vulnerability-database/CVE-2020-18032
    • High severity
    • Buffer Overflow in … "lib/common/shapes.c" component.
      • https://github.com/goccy/go-graphviz/blob/master/internal/ccall/common/shapes.c
      • GraphViz has moved on to https://gitlab.com/graphviz/graphviz/-/blob/main/lib/common/shapes.c
  • https://www.mend.io/vulnerability-database/CVE-2019-11023
    • High severity
    • The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference
      • https://github.com/goccy/go-graphviz/blob/master/internal/ccall/cgraph/obj.c
      • GraphViz has moved on to https://gitlab.com/graphviz/graphviz/-/blob/main/lib/cgraph/obj.c
  • https://www.mend.io/vulnerability-database/CVE-2019-9904
    • Medium severity
    • lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c
      • https://github.com/goccy/go-graphviz/blob/master/internal/ccall/cgraph/graph.c
      • GraphViz has moved on to https://gitlab.com/graphviz/graphviz/-/blob/main/lib/cgraph/graph.c

esnible avatar Jun 10 '23 10:06 esnible