Upgrade `nats-io/jwt` to fix false positive vulnerability
rubur-webbeds opened this issue · 3 comments
Hello team,
when having nsc latest version in an image, our vuln scanner trivy detects GHSA-62mh-w5cv-p88c.
We think it's a false positive as it is fixed in #514, but the v1.2.3 seems to have never been released. Therefore the scanner is not aware that it is actually fixed in v1.2.3.
We see two ways forward:
- Upgrade
nats-io/jwtto version >= 2.0.1. - Update vulnerability database to make scanner aware of v1.2.3 (we have no clue how that would work).
Steps to reproduce
create this Dockerfile:
FROM alpine
RUN wget https://github.com/nats-io/nsc/releases/download/v2.7.6/nsc-linux-arm64.zip
RUN unzip nsc-linux-arm64.zip
RUN chmod +x nsc
build with this command: docker build -t nsc-local .
When running a vulnerability scan with trivy we got the following:
$ trivy -v
Version: 0.32.1
Vulnerability DB:
Version: 2
UpdatedAt: 2022-12-23 06:06:46.090169937 +0000 UTC
NextUpdate: 2022-12-23 12:06:46.090169537 +0000 UTC
DownloadedAt: 2022-12-23 10:29:37.322549 +0000 UTC
$ trivy image nsc-local
2022-12-23T11:37:22.340+0100 INFO Vulnerability scanning is enabled
2022-12-23T11:37:22.340+0100 INFO Secret scanning is enabled
2022-12-23T11:37:22.340+0100 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-12-23T11:37:22.340+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-12-23T11:37:22.394+0100 INFO Detected OS: alpine
2022-12-23T11:37:22.394+0100 INFO This OS version is not on the EOL list: alpine 3.17
2022-12-23T11:37:22.394+0100 INFO Detecting Alpine vulnerabilities...
2022-12-23T11:37:22.397+0100 INFO Number of language-specific files: 1
2022-12-23T11:37:22.397+0100 INFO Detecting gobinary vulnerabilities...
nsc-local (alpine 3.17.0)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
nsc (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
┌────────────────────────┬─────────────────────┬──────────┬──────────────────────────────────────┬───────────────┬───────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────┼─────────────────────┼──────────┼──────────────────────────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ github.com/nats-io/jwt │ GHSA-62mh-w5cv-p88c │ CRITICAL │ v1.2.3-0.20210314221642-a826c77dc9d2 │ v2.0.1 │ Import token permissions checking not enforced │
│ │ │ │ │ │ https://github.com/advisories/GHSA-62mh-w5cv-p88c │
└────────────────────────┴─────────────────────┴──────────┴──────────────────────────────────────┴───────────────┴───────────────────────────────────────────────────┘
Is it possible to upgrade the nats-io/jwt dependency to >= 2.0.1? Or any other suggestion on how to move forward?
Many thanks
This was not a false positive in terms of "what code exists in the binary", but is a false positive in terms of "vulnerable code can be called". A tiny bug accidentally pulled v1 of the jwt library into the nsc binaries, not just the tests. That import could not possibly be used for any code, so it's "safe", but it's unreasonable to expect the scanner to detect that.
We're "very likely" to release nsc version 2.7.7 soon, we're just doing a sweep for anything else we need to include in a 2.7.x patch release now.
Please pretend that I never said anything about 2.7.7. 2.7.7 is a figment of my imagination. 2.7.7 hit ... release engineering issues, and I abandoned the tag rather than publicly push an updated tag.
Version 2.7.8 of nsc is now available, and:
- our CI system now rejects pushes where the nsc binary lets jwt v1 leak back in
- I have run through the installer flow and triple-checked that only jwt/v2 is in the release binaries.
After upgrading nsc to v2.7.8 no vulnerability was detected.
Many thanks