Skip to content

Fix some CVEs#2019

Merged
ShashankGirish merged 5 commits intovmware-tanzu:mainfrom
masap:fix-vuln
Nov 18, 2025
Merged

Fix some CVEs#2019
ShashankGirish merged 5 commits intovmware-tanzu:mainfrom
masap:fix-vuln

Conversation

@masap
Copy link
Copy Markdown
Contributor

@masap masap commented Jun 17, 2025
edited
Loading

What this PR does / why we need it:
This PR fixes some vulnerabilities found by Trivy.

sonobuoy (gobinary)

Total: 4 (UNKNOWN: 1, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/oauth2 │ CVE-2025-22868 │ HIGH     │ fixed  │ v0.15.0           │ 0.27.0          │ golang.org/x/oauth2/jws: Unexpected memory consumption       │
│                     │                │          │        │                   │                 │ during token parsing in golang.org/x/oauth2/jws              │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22868                   │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2025-0913  │ MEDIUM   │        │ v1.23.8           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│                     │                │          │        │                   │                 │ in os in syscall...                                          │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│                     ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-4673  │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│                     │                │          │        │                   │                 │ redirect in net/http                                         │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
│                     ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-47907 │ UNKNOWN  │        │                   │ 1.23.12, 1.24.6 │ Incorrect results returned from Rows.Scan in database/sql    │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907                   │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

Which issue(s) this PR fixes

  • Fixes #

Special notes for your reviewer:

Release note:

Fix CVE-2025-22868, CVE-2025-0913, CVE-2025-4673, CVE-2025-47907.

@farazkhawaja
Copy link
Copy Markdown
Contributor

farazkhawaja commented Jun 30, 2025

Thanks @masap for the PR. We should also periodically review the weekly trivy scan workflow for sonobuoy to address vuln earlier: https://github.com/vmware-tanzu/sonobuoy/actions/runs/15949670484/job/44987968467

@rizzza
Copy link
Copy Markdown

rizzza commented Aug 7, 2025

@masap Think you could add the fix for

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/oauth2 │ CVE-2025-22868 │ HIGH     │ fixed  │ v0.15.0           │ 0.27.0          │ golang.org/x/oauth2/jws: Unexpected memory consumption       │
│                     │                │          │        │                   │                 │ during token parsing in golang.org/x/oauth2/jws              │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22868                   │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤

https://github.com/vmware-tanzu/sonobuoy/actions/runs/16699265919/job/47267729568

And maybe @lubronzhan could cut a release?

@masap
Copy link
Copy Markdown
Contributor Author

masap commented Aug 8, 2025

@rizzza Sure, I fixed this PR.

ShashankGirish
ShashankGirish reviewed Oct 17, 2025
View reviewed changes
.github/workflows/ci-lint.yaml
Comment on lines -12 to -13
skip-pkg-cache: true
skip-build-cache: true
Copy link
Copy Markdown

@ShashankGirish ShashankGirish Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, @masap . I'm assuming the lint errors are due to this change here?

Copy link
Copy Markdown
Contributor Author

@masap masap Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ShashankGirish

I'm assuming the lint errors are due to this change here?

No, we need this change to fix trailing warning.

Warning: Unexpected input(s) 'skip-pkg-cache', 'skip-build-cache', valid inputs are ['version', 'install-mode', 'working-directory', 'github-token', 'verify', 'only-new-issues', 'skip-cache', 'skip-save-cache', 'problem-matchers', 'args', 'cache-invalidation-interval']

Copy link
Copy Markdown

@ShashankGirish ShashankGirish Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, would you be able to resolve the lint errors?

Copy link
Copy Markdown
Contributor Author

@masap masap Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me check.

Copy link
Copy Markdown
Contributor Author

@masap masap Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ShashankGirish I fixed the lint errors.

Copy link
Copy Markdown
Contributor Author

@masap masap Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And fixed some additional CVEs.

@masap masap force-pushed the fix-vuln branch 4 times, most recently from 7379ead to ec9717b Compare October 23, 2025 09:33
@masap masap force-pushed the fix-vuln branch 3 times, most recently from f862db8 to 5568eaa Compare October 31, 2025 00:12
masap added 3 commits October 31, 2025 09:35
@masap
Fix some CVEs
eed8d8e 
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
@masap
Fix local lint error
d2ebb75 
/bin/sh: 1: F: not found
golangci-lint run --out-format=github-actions --timeout=5m0s -v: command not found

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
@masap
Fix GitHub Actions lint
c9f376c 
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
@masap
Fix "non-constant format string in call to fmt.Fprintf" golint errors
8990866 
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
@jerrychengca
Copy link
Copy Markdown
Contributor

jerrychengca commented Nov 8, 2025
edited
Loading

CI Test/integration-test-on-kind failed with this error

  • Error: parsing AggregatorURL: parse "https://[10.244.1.12]:8080": invalid IPv6 host

This happens after upgrading go version to 1.24.9.
Root cause:
"// Per RFC 3986, only a host identified by a valid
// IPv6 address can be enclosed by square brackets."
See https://github.com/golang/go/blob/release-branch.go1.24/src/net/url/url.go#L626
Sonobuoy encloses an ipv4 address with square brackets in URL which breaks the rule.
I have made a fix: f0bc847
@masap, would you like to pick it up and rerun the tests ?
CC @ShashankGirish

@masap
Copy link
Copy Markdown
Contributor Author

masap commented Nov 10, 2025

would you like to pick it up and rerun the tests ?

@jerrychengca Thank you, I picked it up.

@masap
Fix ip address format - only ipv6 address can be enclosed by square b…
fa4b0c5 
…rackets.

Fixed by: @jerrychengca

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
@ShashankGirish ShashankGirish merged commit 08e4ff4 into vmware-tanzu:main Nov 18, 2025
20 checks passed
@masap masap deleted the fix-vuln branch November 18, 2025 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShashankGirish ShashankGirish ShashankGirish approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@masap @farazkhawaja @rizzza @jerrychengca @ShashankGirish