Go stdlib vuln - please upgrade go version

[tspearconquest]

What did you do?
Ran trivy vuln scan on alertmanager binary built from the main branch current HEAD commit c4a763c401742f410580df35a4eedb8daef2a219

What did you expect to see?
No CVEs

What did you see instead? Under which circumstances?
CVE for the go standard library

Environment

• Alertmanager version:

v0.27.0

We built with golang 1.22.3, however the go.mod requires minimum golang 1.21. In order to help mitigate these findings for future builds, I think we should bump the minimum go version in go.mod to 1.22.3 for the future releases.

[codespearhead]

Please attach the output from the vulnerability scan.

[tspearconquest]

bin/alertmanager (gobinary)
===========================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                     │ CVE-2023-45288 │ HIGH     │        │ 1.21.7            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of           │
│                            │                │          │        │                   │                │ CONTINUATION frames causes DoS                               │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                            ├────────────────┼──────────┤        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of          │
│                            │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...            │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│                            ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                       │
│                            │                │          │        │                   │                │ Request.ParseMultipartForm                                   │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│                            ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an   │
│                            │                │          │        │                   │                │ unknown public key algorithm...                              │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│                            ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly  │
│                            │                │          │        │                   │                │ handled                                                      │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│                            ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON      │
│                            │                │          │        │                   │                │ methods may break template escaping                          │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

bin/amtool (gobinary)
=====================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                     │ CVE-2023-45288 │ HIGH     │        │ 1.21.7            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of           │
│                            │                │          │        │                   │                │ CONTINUATION frames causes DoS                               │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                            ├────────────────┼──────────┤        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of          │
│                            │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...            │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│                            ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                       │
│                            │                │          │        │                   │                │ Request.ParseMultipartForm                                   │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│                            ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an   │
│                            │                │          │        │                   │                │ unknown public key algorithm...                              │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│                            ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly  │
│                            │                │          │        │                   │                │ handled                                                      │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│                            ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON      │
│                            │                │          │        │                   │                │ methods may break template escaping                          │
│                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

[zecke]

Could you please clarify as I haven't worked with trivy before. The first comment mentions the binary was compiled with go 1.22.3 and yet trivy claims that 1.21.7 of the Go stdlib was used?

According to the go.mod reference (https://go.dev/ref/mod#go-mod-file-go) the version indicates that a module was written assuming the semantics of a given version of Go. In this we case we still assume go1.21 semantics (e.g. how loop variables are captured).

[tspearconquest]

Apologies for that - allow me to clarify.

My comment about building alertmanager with golang 1.22.3 means that after we built alertmanager internally with a Go version higher than 1.22.1, the finding stopped being reported.

What this tells me is that trivy can tell which version of Go was used to build the binary and will not report a finding for this vulnerability when built with Go 1.22.2 or higher even though the go.mod references Go 1.21 (1.21.0 is assumed, which has the vulnerability.)

When the project's CI builds alert manager, if it's building with Go before 1.22.2 or before 1.21.9, then this vulnerability is potentially being shipped in alertmanager, but if it's not, then only people who build alert manager from source using a vulnerable version of Go are affected anyway and there's probably not much to worry about in that case since very few people outside of project contributors do so.