go-nitro icon indicating copy to clipboard operation
go-nitro copied to clipboard
verified publisher icon statechannels

Create a workflow for `govulncheck`

Open NiloCK opened this issue 2 years ago • 0 comments

See draft pr #1454, where the new security tool from the go team was applied against the current repo.

Blog post for the tool: https://go.dev/blog/govulncheck Github Action for the tool: https://github.com/marketplace/actions/golang-govulncheck-action

  • :( Nine vulnerabilities were flagged.
  • :) all of them seem fixable by simple update of patch version for go. EG, the build config specifies 1.20.0, but these vulnerabilities all seem to have fixes somewhere in 1.20.x

Probably

  • we do want this tool as part of our workflow, especially when it comes to packaging release versions
  • we do not want every upstream vulnerability discovery to halt development on this repo

Potential Plan

  • develop a release pipeline and have it fail when govulncheck returns errors
  • add a nightly that
    • runs govulncheck
    • creates labelled issues where individual vulnerabilities are found

Issue format

Here is a sample discovered vulnerability:

Vulnerability #1: GO-2023-1878
    Insufficient sanitization of Host header in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-1878
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
##[error]      #1: node/engine/chainservice/utils/utils.go:32:37: utils.ConnectToChain calls ethclient.Client.ChainID, which eventually calls http.Client.Do
##[error]      #2: rpc/transport/nats/server.go:61:29: nats.NewNatsTransportAsServer calls server.NewServer, which eventually calls http.Client.Get
##[error]      #3: scripts/start-rpc-servers.go:132:19: scripts.main calls cli.App.Run, which eventually calls http.Get
##[error]      #4: rpc/transport/ws/client.go:46:24: ws.clientWebSocketTransport.Request calls http.Post
##[error]      #5: rpc/transport/ws/client.go:28:46: ws.NewWebSocketTransportAsClient calls websocket.Dialer.Dial, which eventually calls http.Request.Write
##[error]      #6: rpc/transport/nats/server.go:61:29: nats.NewNatsTransportAsServer calls server.NewServer, which eventually calls http.Transport.CloseIdleConnections

GO-2023-1878 is an identifier, Insufficient sanitization of Host header in net/http is a description.

Issue could be created with a title like govulncheck: Insufficient sanitization of Host header in net/http, with the entire body of the report pasted inside.

Dependabot?

This mostly seems to duplicate work that already gets done by dependabot - maybe we could first play with configuring that.

NiloCK avatar Jul 14 '23 15:07 NiloCK