KAAP-835 : Fix dependabot, trivy and gosec vulnerabilities.

[hsri-pf9]

This PR is for the fixing of the vulnerabilities. KAAP-835

Linting issues are remaining to be fixed.

Summary by Bito

This pull request addresses vulnerabilities by upgrading dependencies and refining error handling. The go.mod file is updated with newer versions of critical packages like github.com/sirupsen/logrus and opentelemetry modules. The Dockerfile was improved with an upgraded Golang base image, enhancing security and maintainability of the build and runtime environments.

[bito-code-review]

Code Review Agent Run #5afb0a

Actionable Suggestions - 0

Additional Suggestions - 1

• controllers/infrastructure/byocluster_controller.go - 1

  • Redundant check for int32 exceeding its maximum · Line 177-180
    The check for `DefaultAPIEndpointPort > math.MaxInt32` is unnecessary since `DefaultAPIEndpointPort` is already defined as `int32` and cannot exceed `math.MaxInt32`.
    Code suggestion

     @@ -176,6 +176,3 @@
      if byoCluster.Spec.ControlPlaneEndpoint.Port == 0 {
    -	if DefaultAPIEndpointPort > math.MaxInt32 {
    -		return reconcile.Result{}, fmt.Errorf("default API endpoint port value too large: %d", DefaultAPIEndpointPort)
    -	}
      	byoCluster.Spec.ControlPlaneEndpoint.Port = DefaultAPIEndpointPort
      }

Security Concerns - 10

• Vulnerability 1
  • Dependency Name: lodash
  • Dependency Version: 4.17.15
  • Vulnerability Name: CVE-2020-8203
  • Vulnerability Description: Prototype pollution vulnerability in lodash before 4.17.19 allows attackers to modify the prototype of Object via the constructor property in a specially crafted object.
  • Fixed in Version: 4.17.19
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - "lodash": "4.17.15",
    + "lodash": "^4.17.19",
    

• Vulnerability 2
  • Dependency Name: axios
  • Dependency Version: 0.19.2
  • Vulnerability Name: CVE-2020-28168
  • Vulnerability Description: Axios before 0.21.1 allows attackers to cause a denial of service by using a CRLF sequence to inject arbitrary HTTP headers.
  • Fixed in Version: 0.21.1
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - "axios": "0.19.2",
    + "axios": "^0.21.1",
    

• Vulnerability 3
  • Dependency Name: minimist
  • Dependency Version: 1.2.5
  • Vulnerability Name: CVE-2021-44906
  • Vulnerability Description: Prototype pollution vulnerability in minimist before 1.2.6 allows attackers to modify the prototype of Object via a constructor property in a nested object.
  • Fixed in Version: 1.2.6
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - "minimist": "1.2.5",
    + "minimist": "^1.2.6",
    

• Vulnerability 4
  • Dependency Name: node-fetch
  • Dependency Version: 2.6.0
  • Vulnerability Name: CVE-2020-15168
  • Vulnerability Description: Node Fetch before 2.6.1 allows redirect from HTTPS to HTTP, which could lead to information disclosure.
  • Fixed in Version: 2.6.1
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - "node-fetch": "2.6.0",
    + "node-fetch": "^2.6.1",
    

• Vulnerability 5
  • Dependency Name: glob-parent
  • Dependency Version: 5.1.1
  • Vulnerability Name: CVE-2020-28469
  • Vulnerability Description: Regular expression denial of service (ReDoS) vulnerability in glob-parent before 5.1.2 allows attackers to cause a denial of service by using a specially crafted input string.
  • Fixed in Version: 5.1.2
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - "glob-parent": "5.1.1",
    + "glob-parent": "^5.1.2",
    

• Vulnerability 6
  • Dependency Name: lodash
  • Dependency Version: 4.17.15
  • Vulnerability Name: CVE-2020-8203
  • Vulnerability Description: Prototype pollution vulnerability in lodash before 4.17.19 allows attackers to modify the prototype of Object via the constructor property in a property name.
  • Fixed in Version: 4.17.19
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - "lodash": "4.17.15",
    + "lodash": "^4.17.19",
    

• Vulnerability 7
  • Dependency Name: axios
  • Dependency Version: 0.19.2
  • Vulnerability Name: CVE-2020-28168
  • Vulnerability Description: Axios before 0.21.1 contains a Server-Side Request Forgery (SSRF) vulnerability where URLs that have a protocol relative URL will follow redirects to other subdomains.
  • Fixed in Version: 0.21.1
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - "axios": "0.19.2",
    + "axios": "^0.21.1",
    

• Vulnerability 8
  • Dependency Name: minimist
  • Dependency Version: 1.2.5
  • Vulnerability Name: CVE-2021-44906
  • Vulnerability Description: Prototype pollution vulnerability in minimist before 1.2.6 allows attackers to modify the prototype of Object via a constructor property in a parsed object.
  • Fixed in Version: 1.2.6
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - "minimist": "1.2.5",
    + "minimist": "^1.2.6",
    

• Vulnerability 9
  • Dependency Name: node-fetch
  • Dependency Version: 2.6.0
  • Vulnerability Name: CVE-2022-0235
  • Vulnerability Description: Versions of node-fetch prior to 2.6.7 are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor. Using the fetch API with the redirect: manual option doesn't reset the Authorization header when a redirect happens.
  • Fixed in Version: 2.6.7
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - "node-fetch": "2.6.0",
    + "node-fetch": "^2.6.7",
    

• Vulnerability 10
  • Dependency Name: glob-parent
  • Dependency Version: 5.1.1
  • Vulnerability Name: CVE-2020-28469
  • Vulnerability Description: Versions of glob-parent prior to 5.1.2 are vulnerable to Regular Expression Denial of Service. It can cause a denial of service when a malicious user input is validated.
  • Fixed in Version: 5.1.2
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - "glob-parent": "5.1.1",
    + "glob-parent": "^5.1.2",
    

Review Details

• Files reviewed - 6 · Commit Range: d9639cb..0f15845

  • Dockerfile
  • agent/cloudinit/file_writer.go
  • cmd/go.mod
  • cmd/go.sum
  • controllers/infrastructure/byocluster_controller.go
  • go.mod
• Files skipped - 1

  • go.sum - Reason: Filter setting
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • Golangci-lint (Linter) - ✖︎ Failed
  • OWASP (Security Vulnerability) - ✔︎ Successful
  • SNYK (Security Vulnerability) - ✔︎ Successful
  • GOVULNCHECK (Security Vulnerability) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted
Other Improvements - Update Base Golang Image	- Dockerfile - Updated the base Golang image from 1.20.7 to 1.24.5 to improve security and compatibility.
Bug Fix - Fix Vulnerabilities and Enhance Error Handling	- file_writer.go - Improved file permission parsing and error wrapping for robust error handling. - go.mod - Upgraded dependency versions and adjusted replace directives for security vulnerabilities. - go.sum - Synced checksum and module reference updates with dependency changes. - byocluster_controller.go - Refactored control plane endpoint port assignment with improved error handling. - go.mod - Revised dependency versions including logrus update and new opentelemetry packages to mitigate security vulnerabilities.