Subpackages with different versions are incorrectly flagged #270
Description
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
- What are you trying to do?
The issue is already reported here Subpackages with different versions are incorrectly flagged #157, but this time with the package github.com/hashicorp/vault.
Releases are tagged here: https://github.com/hashicorp/vault/releases the latest version is v1.11.3
The latest version of github.com/hashicorp/vault/api is v1.7.2
The latest version of github.com/hashicorp/vault/sdk is v0.5.3
Nancy sees I have used github.com/hashicorp/vault/sdk@v0.5.1 and but reports CVE's as if I was using github.com/hashicorp/vault@v0.5.1 same for github.com/hashicorp/vault/api@v1.7.2 - is recommended to be github.com/hashicorp/vault@1.11.1/1.9.8/1.10.5
None of these CVE's should apply to github.com/hashicorp/vault/api@v1.7.2 or github.com/hashicorp/vault/sdk@v0.5.1 but it gets confused by the version difference.
Here is what I get:
pkg:golang/github.com/hashicorp/vault/sdk@v0.5.1
#17 3.431 1 known vulnerabilities affecting installed version
#17 3.431 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
#17 3.431 ┃ [CVE-2022-36129] CWE-863: Incorrect Authorization ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ Description ┃ HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters ┃
#17 3.431 ┃ ┃ using Integrated Storage expose an unauthenticated API endpoint that could ┃
#17 3.431 ┃ ┃ be abused to override the voter status of a node within a Vault HA cluster, ┃
#17 3.431 ┃ ┃ introducing potential for future data loss or catastrophic failure. Fixed ┃
#17 3.431 ┃ ┃ in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1. ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ OSS Index ID ┃ CVE-2022-36129 ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ CVSS Score ┃ 9.1/10 (Critical) ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ CVSS Vector ┃ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2022-36129?component-type=golang&component-name=github.com%2Fhashicorp%2Fvault%2Fsdk&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.39 ┃
#17 3.431 ┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
#
pkg:golang/github.com/hashicorp/vault/api@v1.7.2
#17 3.431 1 known vulnerabilities affecting installed version
#17 3.431 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
#17 3.431 ┃ [CVE-2022-36129] CWE-863: Incorrect Authorization ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ Description ┃ HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters ┃
#17 3.431 ┃ ┃ using Integrated Storage expose an unauthenticated API endpoint that could ┃
#17 3.431 ┃ ┃ be abused to override the voter status of a node within a Vault HA cluster, ┃
#17 3.431 ┃ ┃ introducing potential for future data loss or catastrophic failure. Fixed ┃
#17 3.431 ┃ ┃ in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1. ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ OSS Index ID ┃ CVE-2022-36129 ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ CVSS Score ┃ 9.1/10 (Critical) ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ CVSS Vector ┃ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2022-36129?component-type=golang&component-name=github.com%2Fhashicorp%2Fvault%2Fapi&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.39 ┃
#17 3.431 ┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
#17 3.431
#17 3.431 2 Vulnerable Packages
#17 3.431
#17 3.431 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
#17 3.431 ┃ Summary ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
#17 3.431 ┃ Audited Dependencies ┃ 104 ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
#17 3.431 ┃ Vulnerable Dependencies ┃ 2 ┃
#17 3.431 ┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛
Here is the output of go list:
➜ go list -m all | grep github.com/hashicorp/vault
github.com/hashicorp/vault/api v1.7.2
github.com/hashicorp/vault/sdk v0.5.1
Here is my Nancy version:
nancy version 1.0.39
-
What feature or behavior is this required for?
Go dependencies vulnerability scan -
How could we solve this issue? (Not knowing is okay!)
I think if a subpackage is versioned differently it should be considered separate and not matched against the parent one? -
Anything else?
No
cc @bhamail / @DarthHater