Security vulnerability complaint from nancy?

Question

Security vulnerability complaint from nancy?

tomqwpl opened this issue 3 years ago · 4 comments

I've been experimenting with using fosite as a library in a product.
It's gone well, I've done what I wanted to do with it.
Having run nancy on the result though, it's complaining that github.com/gobuffalo/packr@1.22.0 has a vulnerability.

So I'm trying to work out how to avoid this.

What's odd is that I can't see anything in the go.mod file here, or in the .nancy-ignore file, nor can I see anything in the hydra repository that would indicate that the version was being replaced with something else, or the vulnerability being ignored due to the code not actually being used.

The vulnerability has been fixed, but only in something like v2.3.2 of packr, so my guess is doing a simple replace to that isn't likely to work (different major version).

I'm not attempting to report a security vulnerability here, I'm attempting to understand why the build of fosite or hydra doesn't also encounter the same issue, what's been done to remove the complaint.

Apologies if this isn't the right forum. I appreciate I haven't followed the issue template, but the link to forum doesn't work and I'm not on slack.

Thanks

aeneasr commented 3 years ago

ory/x#375

Answer 1 · 2021-07-19T11:48:10.000Z

In fact it does encounter the same issue, if I do the same as I'm doing on my build. So my makefile is:


HOSTOS := $(shell go env GOHOSTOS)
HOSTARCH := $(shell go env GOHOSTARCH)

NANCY_VERSION 	 := v1.0.1

NANCY := "https://github.com/sonatype-nexus-community/nancy/releases/download/${NANCY_VERSION}/nancy-${HOSTOS}.${HOSTARCH}-${NANCY_VERSION}.exe"

bin/nancy.exe:
	@if [ ! -d bin ]; then mkdir bin; fi
	curl -sfL $(NANCY) -o "bin/nancy.exe"
ifndef COMSPEC
	chmod +x bin/nancy
endif

nancy:  bin/nancy.exe
	go list -json -m all | bin/nancy sleuth

Running "make nancy" produces a complaint that github.com/gobuffalo/packr@1.22.0 has the "CWE-23: Relative Path Traversal" vulnerability.

Answer 2 · 2021-07-19T12:23:35.000Z

@aeneasr So do I take it that I was just unlucky and this vulnerability had only just been reported? Your fix seems to predate my raising this by a couple of hours.

I've manually added a replace for that gobuffalo/packr to version 1.30.1 and that seems to fix things.
Thanks.

Answer 3 · 2021-07-19T12:43:44.000Z

Yeah, also fosite doesn't use packr, it's just a transient dependency. The vulnerability is also just one that would be working if you have server access, if it was actually used