Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci(nancy): ignore CVE-2020-26160 #113

Merged
merged 1 commit into from
May 2, 2021
Merged

ci(nancy): ignore CVE-2020-26160 #113

merged 1 commit into from
May 2, 2021

Conversation

Nivl
Copy link
Owner

@Nivl Nivl commented May 2, 2021

Core info

Severity & impact on go-git

No impact. As per a comment on Viper, the affected package is not compiled into the final library. Cobra uses Viper which uses Crypt which uses a etcd client. The etcd package imports github.com/dgrijalva/jwt-go but the client package used by crypt doesn't use it.

Explanation

This CVE is in a nested deps: github.com/dgrijalva/jwt-go.

Affected direct dependencies:

  • Cobra

Possible fixes:

  • Update cobra once they updated viper, once they updated crypt, once they updated etcd, once they updated jwt-go (best, but might not happen before a long time due how deep the CVE is)
  • Ignore the CVE (accetable)

Research

CVE in: github.com/dgrijalva/jwt-go < 4.0.0-preview1

Affected dependencies:

❯ go mod graph | grep " github.com/dgrijalva/jwt-go"
github.com/spf13/[email protected] github.com/dgrijalva/[email protected]+incompatible

❯ go mod graph | grep " github.com/spf13/viper"
github.com/spf13/[email protected] github.com/spf13/[email protected]

After looking at Viper's source code, Viper doesn't use jwt-go directly. Viper uses crypt which uses etcd which uses jwt-go. The etcd package used by Crypt is etcd/client, which doesn't imports jwt-go

Nancy report

1 known vulnerabilities affecting installed version 
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2020-26160] jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrict...                                                                                                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ jwt-go before 4.0.0-preview1 allows attackers to bypass intended access                                                                                                                                                 ┃
┃                    ┃ restrictions in situations with []string{} for m["aud"] (which is allowed                                                                                                                                               ┃
┃                    ┃ by the specification). Because the type assertion fails, "" is the value of                                                                                                                                             ┃
┃                    ┃ aud. This is a security problem if the JWT token is presented to a service                                                                                                                                              ┃
┃                    ┃ that lacks its own audience check.                                                                                                                                                                                      ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ c16fb56d-9de6-4065-9fca-d2b4cfb13020                                                                                                                                                                                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 7.5/10 (High)                                                                                                                                                                                                           ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N                                                                                                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ ossindex.sonatype.org/vulnerability/c16fb56d-9de6-4065-9fca-d2b4cfb13020?component-type=golang&component-name=github.com%2Fdgrijalva%2Fjwt-go&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.20         ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

@codecov
Copy link

codecov bot commented May 2, 2021

Codecov Report

❗ No coverage uploaded for pull request base (main@710c2b0). Click here to learn what that means.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #113   +/-   ##
=======================================
  Coverage        ?   80.65%           
=======================================
  Files           ?       27           
  Lines           ?     1556           
  Branches        ?        0           
=======================================
  Hits            ?     1255           
  Misses          ?      173           
  Partials        ?      128

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 710c2b0...99bcf4a. Read the comment docs.

@Nivl Nivl merged commit f82a758 into main May 2, 2021
@Nivl Nivl deleted the ci/nancy/ignore-CVE-2020-26160 branch May 2, 2021 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Nivl