Created
October 19, 2023 20:01
-
-
Save rootulp/2bf092c89f012b39702ac6e9f872dc94 to your computer and use it in GitHub Desktop.
govulncheck output on celestia-core
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ go1.20 run golang.org/x/vuln/cmd/govulncheck@latest ./... | |
Scanning your code and 578 packages across 95 dependent modules for known vulnerabilities... | |
Vulnerability #1: GO-2023-2102 | |
HTTP/2 rapid reset can cause excessive work in net/http | |
More info: https://pkg.go.dev/vuln/GO-2023-2102 | |
Standard library | |
Found in: net/http@go1.20 | |
Fixed in: net/http@go1.21.3 | |
Example traces found: | |
#1: node/node.go:961:65: node.NewNode calls http.ListenAndServe | |
#2: cmd/contract_tests/main.go:31:14: contract_tests.main calls hooks.Server.Serve, which calls http.Serve | |
#3: node/node.go:1323:31: node.startPrometheusServer calls http.Server.ListenAndServe | |
#4: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve | |
#5: rpc/jsonrpc/server/http_server.go:88:19: server.ServeTLS calls http.Server.ServeTLS | |
Vulnerability #2: GO-2023-2043 | |
Improper handling of special tags within script contexts in html/template | |
More info: https://pkg.go.dev/vuln/GO-2023-2043 | |
Standard library | |
Found in: html/template@go1.20 | |
Fixed in: html/template@go1.21.1 | |
Example traces found: | |
#1: test/fuzz/rpc/jsonrpc/server/handler.go:30:15: server.Fuzz calls http.ServeMux.ServeHTTP, which eventually calls template.Template.Execute | |
#2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate | |
Vulnerability #3: GO-2023-2041 | |
Improper handling of HTML-like comments in script contexts in html/template | |
More info: https://pkg.go.dev/vuln/GO-2023-2041 | |
Standard library | |
Found in: html/template@go1.20 | |
Fixed in: html/template@go1.21.1 | |
Example traces found: | |
#1: test/fuzz/rpc/jsonrpc/server/handler.go:30:15: server.Fuzz calls http.ServeMux.ServeHTTP, which eventually calls template.Template.Execute | |
#2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate | |
Vulnerability #4: GO-2023-1987 | |
Large RSA keys can cause high CPU usage in crypto/tls | |
More info: https://pkg.go.dev/vuln/GO-2023-1987 | |
Standard library | |
Found in: crypto/tls@go1.20 | |
Fixed in: crypto/tls@go1.21rc4 | |
Example traces found: | |
#1: state/indexer/sink/psql/psql.go:115:26: psql.insertEvents calls sql.Tx.Exec, which eventually calls tls.Conn.Handshake | |
#2: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext | |
#3: libs/autofile/group.go:479:30: autofile.GroupReader.Read calls bufio.Reader.Read, which calls tls.Conn.Read | |
#4: libs/autofile/group.go:216:27: autofile.Group.WriteLine calls bufio.Writer.Write, which calls tls.Conn.Write | |
#5: rpc/jsonrpc/client/http_json_client.go:213:34: client.Client.Call calls http.Client.Do, which eventually calls tls.Dialer.DialContext | |
Vulnerability #5: GO-2023-1878 | |
Insufficient sanitization of Host header in net/http | |
More info: https://pkg.go.dev/vuln/GO-2023-1878 | |
Standard library | |
Found in: net/http@go1.20 | |
Fixed in: net/http@go1.20.6 | |
Example traces found: | |
#1: pkg/trace/client.go:74:16: trace.Client.Stop calls influxdb.clientImpl.Close, which calls http.Client.CloseIdleConnections | |
#2: rpc/jsonrpc/client/http_json_client.go:213:34: client.Client.Call calls http.Client.Do | |
#3: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get | |
#4: p2p/upnp/upnp.go:205:20: upnp.getServiceURL calls http.Get | |
#5: rpc/jsonrpc/client/ws_client.go:270:29: client.WSClient.dial calls websocket.Dialer.Dial, which eventually calls http.Request.Write | |
Vulnerability #6: GO-2023-1840 | |
Unsafe behavior in setuid/setgid binaries in runtime | |
More info: https://pkg.go.dev/vuln/GO-2023-1840 | |
Standard library | |
Found in: runtime@go1.20 | |
Fixed in: runtime@go1.20.5 | |
Example traces found: | |
#1: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.BlockProfile | |
#2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.StackRecord.Stack | |
#3: abci/server/grpc_server.go:46:27: server.GRPCServer.OnStart calls grpc.NewServer, which calls runtime.Caller | |
#4: test/maverick/consensus/wal_generator.go:71:11: consensus.WALGenerateNBlocks calls testing.common.Cleanup, which calls runtime.Callers | |
#5: rpc/jsonrpc/server/http_server.go:241:30: server.responseWriterWrapper.WriteHeader calls http.response.WriteHeader, which eventually calls runtime.CallersFrames | |
#6: rpc/jsonrpc/server/http_server.go:241:30: server.responseWriterWrapper.WriteHeader calls http.response.WriteHeader, which eventually calls runtime.Frames.Next | |
#7: libs/log/tmfmt_logger.go:121:26: log.tmfmtLogger.Log calls logfmt.Encoder.EncodeKeyval, which eventually calls runtime.Func.FileLine | |
#8: rpc/client/mocks/client.go:853:18: mocks.Client.Validators calls mock.Mock.Called, which calls runtime.Func.Name | |
#9: rpc/client/mocks/client.go:853:18: mocks.Client.Validators calls mock.Mock.Called, which calls runtime.FuncForPC | |
#10: rpc/jsonrpc/server/ws_handler.go:381:29: server.wsConnection.readRoutine calls reflect.Value.Call, which eventually calls runtime.GC | |
#11: libs/log/tmfmt_logger.go:51:29: log.tmfmtLogger.Log calls sync.Pool.Get, which eventually calls runtime.GOMAXPROCS | |
#12: abci/server/grpc_server.go:60:15: server.GRPCServer.OnStop calls grpc.Server.Stop, which eventually calls runtime.GOROOT | |
#13: crypto/internal/benchmarking/bench.go:43:13: benchmarking.BenchmarkSigning calls testing.common.FailNow, which calls runtime.Goexit | |
#14: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.Gosched | |
#15: libs/autofile/autofile.go:140:24: autofile.AutoFile.Write calls os.File.Write, which eventually calls runtime.KeepAlive | |
#16: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.MemProfile | |
#17: statesync/snapshots.go:167:12: statesync.snapshotPool.Ranked calls sort.Slice, which eventually calls runtime.MemProfileRecord.InUseBytes | |
#18: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.MemProfileRecord.InUseObjects | |
#19: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.MemProfileRecord.Stack | |
#20: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.MutexProfile | |
#21: mempool/v1/mempool.go:681:58: mempool.recheckTransactions calls runtime.NumCPU | |
#22: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.NumGoroutine | |
#23: crypto/internal/benchmarking/bench.go:58:14: benchmarking.BenchmarkVerification calls testing.B.ResetTimer, which calls runtime.ReadMemStats | |
#24: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.ReadTrace | |
#25: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.SetCPUProfileRate | |
#26: libs/autofile/group.go:448:26: autofile.GroupReader.Close calls os.File.Close, which eventually calls runtime.SetFinalizer | |
#27: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.SetMutexProfileFraction | |
#28: libs/cli/setup.go:94:28: cli.Executor.Execute calls runtime.Stack | |
#29: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.StartTrace | |
#30: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.StopTrace | |
#31: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls runtime.ThreadCreateProfile | |
#32: rpc/jsonrpc/types/types.go:242:68: types.RPCInternalError calls runtime.TypeAssertionError.Error | |
#33: test/maverick/node/node.go:15:2: node.init calls prometheus.init, which eventually calls runtime.Version | |
#34: mempool/v1/mempool.go:5:2: mempool.init calls runtime.init, which calls runtime.efaceOf | |
#35: rpc/jsonrpc/types/types.go:242:68: types.RPCInternalError calls runtime.errorAddressString.Error | |
#36: rpc/jsonrpc/types/types.go:242:68: types.RPCInternalError calls runtime.errorString.Error | |
#37: mempool/v1/mempool.go:5:2: mempool.init calls runtime.init, which eventually calls runtime.findfunc | |
#38: mempool/v1/mempool.go:5:2: mempool.init calls runtime.init, which calls runtime.float64frombits | |
#39: mempool/v1/mempool.go:5:2: mempool.init calls runtime.init, which eventually calls runtime.forcegchelper | |
#40: mempool/v1/mempool.go:5:2: mempool.init calls runtime.init, which eventually calls runtime.funcMaxSPDelta | |
#41: mempool/v1/mempool.go:5:2: mempool.init calls runtime.init, which eventually calls runtime.lockInit | |
#42: rpc/jsonrpc/types/types.go:242:68: types.RPCInternalError calls runtime.plainError.Error | |
#43: mempool/v1/mempool.go:5:2: mempool.init calls runtime.init, which eventually calls runtime.throw | |
Vulnerability #7: GO-2023-1753 | |
Improper handling of empty HTML attributes in html/template | |
More info: https://pkg.go.dev/vuln/GO-2023-1753 | |
Standard library | |
Found in: html/template@go1.20 | |
Fixed in: html/template@go1.20.4 | |
Example traces found: | |
#1: test/fuzz/rpc/jsonrpc/server/handler.go:30:15: server.Fuzz calls http.ServeMux.ServeHTTP, which eventually calls template.Template.Execute | |
#2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate | |
Vulnerability #8: GO-2023-1752 | |
Improper handling of JavaScript whitespace in html/template | |
More info: https://pkg.go.dev/vuln/GO-2023-1752 | |
Standard library | |
Found in: html/template@go1.20 | |
Fixed in: html/template@go1.20.4 | |
Example traces found: | |
#1: test/fuzz/rpc/jsonrpc/server/handler.go:30:15: server.Fuzz calls http.ServeMux.ServeHTTP, which eventually calls template.Template.Execute | |
#2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate | |
Vulnerability #9: GO-2023-1751 | |
Improper sanitization of CSS values in html/template | |
More info: https://pkg.go.dev/vuln/GO-2023-1751 | |
Standard library | |
Found in: html/template@go1.20 | |
Fixed in: html/template@go1.20.4 | |
Example traces found: | |
#1: test/fuzz/rpc/jsonrpc/server/handler.go:30:15: server.Fuzz calls http.ServeMux.ServeHTTP, which eventually calls template.Template.Execute | |
#2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate | |
Vulnerability #10: GO-2023-1705 | |
Excessive resource consumption in net/http, net/textproto and mime/multipart | |
More info: https://pkg.go.dev/vuln/GO-2023-1705 | |
Standard library | |
Found in: net/textproto@go1.20 | |
Fixed in: net/textproto@go1.20.3 | |
Example traces found: | |
#1: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls textproto.Reader.ReadMIMEHeader | |
#2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls multipart.Reader.ReadForm | |
Vulnerability #11: GO-2023-1704 | |
Excessive memory allocation in net/http and net/textproto | |
More info: https://pkg.go.dev/vuln/GO-2023-1704 | |
Standard library | |
Found in: net/textproto@go1.20 | |
Fixed in: net/textproto@go1.20.3 | |
Example traces found: | |
#1: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls textproto.Reader.ReadMIMEHeader | |
Vulnerability #12: GO-2023-1703 | |
Backticks not treated as string delimiters in html/template | |
More info: https://pkg.go.dev/vuln/GO-2023-1703 | |
Standard library | |
Found in: html/template@go1.20 | |
Fixed in: html/template@go1.20.3 | |
Example traces found: | |
#1: test/fuzz/rpc/jsonrpc/server/handler.go:30:15: server.Fuzz calls http.ServeMux.ServeHTTP, which eventually calls template.Template.Execute | |
#2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate | |
Vulnerability #13: GO-2023-1621 | |
Incorrect calculation on P256 curves in crypto/internal/nistec | |
More info: https://pkg.go.dev/vuln/GO-2023-1621 | |
Standard library | |
Found in: crypto/internal/nistec@go1.20 | |
Fixed in: crypto/internal/nistec@go1.20.2 | |
Example traces found: | |
#1: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls nistec.P256OrdInverse | |
#2: rpc/jsonrpc/server/http_server.go:88:19: server.ServeTLS calls http.Server.ServeTLS, which eventually calls nistec.P256Point.ScalarBaseMult | |
#3: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls nistec.P256Point.ScalarMult | |
Vulnerability #14: GO-2023-1571 | |
Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net | |
More info: https://pkg.go.dev/vuln/GO-2023-1571 | |
Standard library | |
Found in: net/http@go1.20 | |
Fixed in: net/http@go1.20.1 | |
Example traces found: | |
#1: rpc/jsonrpc/client/http_json_client.go:213:34: client.Client.Call calls http.Client.Do | |
#2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get | |
#3: p2p/upnp/upnp.go:205:20: upnp.getServiceURL calls http.Get | |
#4: node/node.go:961:65: node.NewNode calls http.ListenAndServe | |
#5: cmd/contract_tests/main.go:31:14: contract_tests.main calls hooks.Server.Serve, which calls http.Serve | |
#6: node/node.go:1323:31: node.startPrometheusServer calls http.Server.ListenAndServe | |
#7: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve | |
#8: rpc/jsonrpc/server/http_server.go:88:19: server.ServeTLS calls http.Server.ServeTLS | |
Vulnerability #15: GO-2023-1570 | |
Panic on large handshake records in crypto/tls | |
More info: https://pkg.go.dev/vuln/GO-2023-1570 | |
Standard library | |
Found in: crypto/tls@go1.20 | |
Fixed in: crypto/tls@go1.20.1 | |
Example traces found: | |
#1: state/indexer/sink/psql/psql.go:115:26: psql.insertEvents calls sql.Tx.Exec, which eventually calls tls.Conn.Handshake | |
#2: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext | |
#3: libs/autofile/group.go:479:30: autofile.GroupReader.Read calls bufio.Reader.Read, which calls tls.Conn.Read | |
#4: libs/autofile/group.go:216:27: autofile.Group.WriteLine calls bufio.Writer.Write, which calls tls.Conn.Write | |
#5: rpc/jsonrpc/client/http_json_client.go:213:34: client.Client.Call calls http.Client.Do, which eventually calls tls.Dialer.DialContext | |
Vulnerability #16: GO-2023-1569 | |
Excessive resource consumption in mime/multipart | |
More info: https://pkg.go.dev/vuln/GO-2023-1569 | |
Standard library | |
Found in: mime/multipart@go1.20 | |
Fixed in: mime/multipart@go1.20.1 | |
Example traces found: | |
#1: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls multipart.Reader.ReadForm | |
Vulnerability #17: GO-2023-1568 | |
Path traversal on Windows in path/filepath | |
More info: https://pkg.go.dev/vuln/GO-2023-1568 | |
Standard library | |
Found in: path/filepath@go1.20 | |
Fixed in: path/filepath@go1.20.1 | |
Platforms: windows | |
Example traces found: | |
#1: libs/autofile/group.go:81:26: autofile.OpenGroup calls filepath.Abs | |
#2: test/e2e/node/main.go:276:21: node.setupNode calls viper.AddConfigPath, which eventually calls filepath.Clean | |
#3: consensus/wal.go:92:37: consensus.NewWAL calls filepath.Dir | |
#4: config/config.go:973:45: config.DefaultConsensusConfig calls filepath.Join | |
#5: test/e2e/generator/generate.go:402:36: generator.gitRepoLatestReleaseVersion calls git.PlainOpenWithOptions, which eventually calls filepath.Rel | |
#6: cmd/cometbft/commands/debug/io.go:30:22: debug.zipDir calls filepath.Walk | |
Your code is affected by 17 vulnerabilities from the Go standard library. | |
Share feedback at https://go.dev/s/govulncheck-feedback. | |
exit status 3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment