-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[9096]: Add govulncheck step to CI #9115
[9096]: Add govulncheck step to CI #9115
Conversation
Hi @jaehnri. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@jaehnri the production binary that is shipped can not have its name changed to prefix "scannable" |
Sure. The "scannable" binary comes from a new build in |
(1) Should govulncheck report this CVE #9109 ? (2) There was talk on binary size increasing to 40+ MB (increase of 3-4MB) so can ou confirm that that is not a concern anymore as binary with symbols will only be used (and deleted) in CI, to run govulncheck ? |
Thanks for the review, @longwuyuan! (1) As per the documentation:
When the binary is scanned, like we are doing in the pipeline, no vulnerability is reported. However, when the source code is scanned, the vulnerability indeed is reported: $govulncheck $PWD/cmd/nginx
...
Found 1 known vulnerability.
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean
shutdown that was preempted by a fatal error. This condition can
be exploited by a malicious client to cause a denial of service.
... As we recently updated ingress to Go 1.19.1, I guess ingress-nginx wasn't actually being affected by the vulnerability. (2) The sizes of both image and binary aren't being affected. Before this change: $ du -sh nginx-ingress-controller
38M nginx-ingress-controller
$ docker image ls gcr.io/k8s-staging-ingress-nginx/controller:v1.4.0q
REPOSITORY TAG IMAGE ID CREATED SIZE
gcr.io/k8s-staging-ingress-nginx/controller v1.4.0q f8276d255d24 52 seconds ago 264MB After this change: $ du -sh nginx-ingress-controller
38M nginx-ingress-controller
$ docker image ls gcr.io/k8s-staging-ingress-nginx/controller:v1.4.0
REPOSITORY TAG IMAGE ID CREATED SIZE
gcr.io/k8s-staging-ingress-nginx/controller v1.4.0 6083d2e0186e 9 seconds ago 264MB
|
Are you going to scan both src bits as well as compiled bits in the CI ? Basically want to know if that existing vulnerability got reported in your fork's CI run. |
@longwuyuan Initially I was planning to scan only the binary. Do you think we should scan source too? It seems like the binary is more precise than source. Source may lead to some false positives |
Goal is to know about a CVE asap. Wait for other comments as I am not a developer. |
Hi, all! I checkout to a previous commit regarding the release 1.3.1 (db3cdc04e40c5fab51c010902eac2522572e9a3c) and ran the tool. As expected, the vulnerability was indeed reported: $ go version
go version go1.19 darwin/amd64
$ git checkout db3cdc04e40c5fab51c010902eac2522572e9a3c
Note: switching to 'db3cdc04e40c5fab51c010902eac2522572e9a3c'.
...
$ make build
...
$ govulncheck rootfs/bin/amd64/nginx-ingress-controller
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
Found 12 known vulnerabilities.
...
Vulnerability #10: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean
shutdown that was preempted by a fatal error. This condition can
be exploited by a malicious client to cause a denial of service.
Found in: net/[email protected]
Fixed in: net/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0969
... Then, I checkout to commit regarding release 1.4.0, after Long's commit updating go to version 1.19.1 and before James's commit updating x/net's version: $ git checkout cc79e1474512b43351c7d33500b14eb8dc4d0a9a
Previous HEAD position was db3cdc04e release 1.3.1 (#9014)
HEAD is now at cc79e1474 Merge pull request #9108 from strongjz/release-1.4.0
$ make build
...
$ govulncheck rootfs/bin/amd64/nginx-ingress-controller
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
Found 2 known vulnerabilities.
Vulnerability #1: GO-2022-1037
Reader.Read does not set a limit on the maximum size of file
headers. A maliciously crafted archive could cause Read to
allocate unbounded amounts of memory, potentially causing
resource exhaustion or panics. After fix, Reader.Read limits the
maximum size of header blocks to 1 MiB.
Found in: archive/[email protected]
Fixed in: archive/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-1037
Vulnerability #2: GO-2022-1039
Programs which compile regular expressions from untrusted
sources may be vulnerable to memory exhaustion or denial of
service. The parsed regexp representation is linear in the size
of the input, but in some cases the constant factor can be as
high as 40,000, making relatively small regexps consume much
larger amounts of memory. After fix, each regexp being parsed is
limited to a 256 MB memory footprint. Regular expressions whose
representation would use more space than that are rejected.
Normal use of regular expressions is unaffected.
Found in: regexp/[email protected]
Fixed in: regexp/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-1039 As expected, the vulnerability wasn't reported because it had already been fixed by the go version update. I'll be happy to investigate further if needed :) |
@jaehnri , this helps. |
/kind feature |
/ok-to-test |
* add labels to dependabot prs Signed-off-by: cpanato <[email protected]> * sync hashes and versions dependabot can update the version comment now Signed-off-by: cpanato <[email protected]> Signed-off-by: cpanato <[email protected]>
Signed-off-by: James Strong <[email protected]> Signed-off-by: James Strong <[email protected]>
* upgrade nginx base and e2e base Signed-off-by: James Strong <[email protected]> * upgrade e2e base Signed-off-by: James Strong <[email protected]> * update new build Signed-off-by: James Strong <[email protected]> * update to latest e2e base Signed-off-by: James Strong <[email protected]> * remove e2e update Signed-off-by: James Strong <[email protected]> * remove e2e update Signed-off-by: James Strong <[email protected]> Signed-off-by: James Strong <[email protected]>
* start release 1.5.2 Signed-off-by: James Strong <[email protected]> * upgrade kind clusters and add 1.26 Signed-off-by: James Strong <[email protected]> Signed-off-by: James Strong <[email protected]>
Signed-off-by: James Strong <[email protected]>
gcloud timed out on the 1.5.2 build, so we need to restart the release process, so reverting the tag.
* update cli-arguents.md with latest version flags.go * correct punctuation in pkg/flag/flags.go
Signed-off-by: James Strong <[email protected]> Signed-off-by: James Strong <[email protected]>
Signed-off-by: James Strong <[email protected]> Signed-off-by: James Strong <[email protected]>
Signed-off-by: James Strong <[email protected]>
Signed-off-by: James Strong <[email protected]>
Signed-off-by: James Strong <[email protected]>
@jaehnri: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Well, looks like the rebase didn't quite work. I'll see what can I do. I think that maybe opening another clean PR would be better. There aren't many changes anyway.. 🙃 |
As the rebase went wrong, I created another PR (see #9474). |
What this PR does / why we need it:
This PR adds an additional CI step that runs
govulncheck
against the go executable.govulncheck
reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application.Types of changes
Which issue/s this PR fixes
fixes #9096
How Has This Been Tested?
I have created a similar PR in my ingress-nginx fork. The result of this CI check can be found here. For now, this step does not block the CI in any way.
To implement this new step, a new binary
"scannable-nginx-ingress-controller"
is compiled inbuild/build.sh
. This new binary is needed becausegovulncheck
requires the Go symbol table to run, which is currently being disabled by the-ldflags="-s"
flag.Checklist:
Does my pull request need a release note?
Any user-visible or operator-visible change qualifies for a release note. This could be a:
No release notes are required for changes to the following:
For more tips on writing good release notes, check out the Release Notes Handbook