Skip to content

Go crypto/ssh vulnerability in Go 1.16.2 docker image #45342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ruffoa opened this issue Apr 1, 2021 · 2 comments
Closed

Go crypto/ssh vulnerability in Go 1.16.2 docker image #45342

ruffoa opened this issue Apr 1, 2021 · 2 comments
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.

Comments

@ruffoa
Copy link

ruffoa commented Apr 1, 2021

First off, sorry if this is in the wrong place! I looked for any similar issues, but could not find any, so figured I'd open an issue report here 😄

What version of Go are you using (go version)?

$ go version
go version go1.16.2 linux/amd64

Does this issue reproduce with the latest release?

Yes, using the latest version of the Go 1.16 alpine Docker image (hash 52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791)

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
(sorry for the formatting, this is from Jenkins)

[2021-04-01T19:44:26.092Z] #19 0.727 GO111MODULE=""


[2021-04-01T19:44:26.092Z] #19 0.727 GOARCH="amd64"


[2021-04-01T19:44:26.092Z] #19 0.727 GOBIN=""


[2021-04-01T19:44:26.092Z] #19 0.727 GOCACHE="/root/.cache/go-build"


[2021-04-01T19:44:26.092Z] #19 0.727 GOENV="/root/.config/go/env"


[2021-04-01T19:44:26.092Z] #19 0.727 GOEXE=""


[2021-04-01T19:44:26.092Z] #19 0.727 GOFLAGS=""


[2021-04-01T19:44:26.092Z] #19 0.727 GOHOSTARCH="amd64"


[2021-04-01T19:44:26.092Z] #19 0.727 GOHOSTOS="linux"


[2021-04-01T19:44:26.092Z] #19 0.727 GOINSECURE=""


[2021-04-01T19:44:26.092Z] #19 0.727 GOMODCACHE="/go/pkg/mod"


[2021-04-01T19:44:26.093Z] #19 0.727 GONOPROXY=""


[2021-04-01T19:44:26.093Z] #19 0.727 GONOSUMDB="mycompany.org/*"


[2021-04-01T19:44:26.093Z] #19 0.727 GOOS="linux"


[2021-04-01T19:44:26.093Z] #19 0.727 GOPATH="/go"


[2021-04-01T19:44:26.093Z] #19 0.727 GOPRIVATE=""


[2021-04-01T19:44:26.093Z] #19 0.727 GOPROXY="mycompany.org"


[2021-04-01T19:44:26.093Z] #19 0.727 GOROOT="/usr/local/go"


[2021-04-01T19:44:26.093Z] #19 0.727 GOSUMDB="sum.golang.org"


[2021-04-01T19:44:26.093Z] #19 0.727 GOTMPDIR=""


[2021-04-01T19:44:26.093Z] #19 0.727 GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"


[2021-04-01T19:44:26.093Z] #19 0.727 GOVCS=""


[2021-04-01T19:44:26.093Z] #19 0.727 GOVERSION="go1.16.2"


[2021-04-01T19:44:26.093Z] #19 0.727 GCCGO="gccgo"


[2021-04-01T19:44:26.093Z] #19 0.727 AR="ar"


[2021-04-01T19:44:26.093Z] #19 0.727 CC="gcc"


[2021-04-01T19:44:26.093Z] #19 0.727 CXX="g++"


[2021-04-01T19:44:26.093Z] #19 0.727 CGO_ENABLED="1"


[2021-04-01T19:44:26.093Z] #19 0.727 GOMOD="/dev/null"


[2021-04-01T19:44:26.093Z] #19 0.727 CGO_CFLAGS="-g -O2"


[2021-04-01T19:44:26.093Z] #19 0.727 CGO_CPPFLAGS=""


[2021-04-01T19:44:26.093Z] #19 0.727 CGO_CXXFLAGS="-g -O2"


[2021-04-01T19:44:26.093Z] #19 0.727 CGO_FFLAGS="-g -O2"


[2021-04-01T19:44:26.093Z] #19 0.727 CGO_LDFLAGS="-g -O2"


[2021-04-01T19:44:26.093Z] #19 0.727 PKG_CONFIG="pkg-config"


[2021-04-01T19:44:26.093Z] #19 0.727 GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3087407697=/tmp/go-build -gno-record-gcc-switches"

What did you do?

We have vulnerability scanning on all Docker images as a part of our deployment pipeline, and even an image with no Go projects in it was flagged as being affected by the crypto/ssh vulnerability fixed in this commit. Here is the Snyk vulnerability page.

This is the flagged Docker image:

Dockerfile
FROM golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8

# Installing dependencies
RUN apk upgrade --no-cache && \
    apk add --no-cache \

    bash \

    # Install Git
    git \

    nodejs \
    npm \

    make \

    gcc musl-dev python3-dev libffi-dev openssl-dev \

    python3 \
    py3-pip && \
    echo "*** setup python ***" && \
    ln -sf python3 /usr/bin/python && \
    pip install wheel && \
    rm -rf /root/.cache/pip

As an aside, is there a way to force a Docker image to install a newer version of a built-in module? I tried doing a go get -u golang.org/x/crypto/ssh, however it did not fix the problem 😞

Any help would be greatly appreciated! Just checking to make sure it's not because of something silly I've done 😄
@seankhliao
Copy link
Member

I don;t see this for either of the base images?

3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8 
snyk container test golang@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8

Testing golang@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8...

✗ Medium severity vulnerability found in openssl/libcrypto1.1
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-ALPINE313-OPENSSL-1089240
  Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], libtls-standalone/[email protected], ca-certificates/ca-certificates@20191127-r5
  From: openssl/[email protected]
  From: openssl/[email protected] > openssl/[email protected]
  From: apk-tools/[email protected] > openssl/[email protected]
  and 5 more...
  Image layer: '/bin/sh -c set -eux; 	apk add --no-cache --virtual .build-deps 		bash 		gcc 		gnupg 		go 		musl-dev 		openssl ; 	apkArch="$(apk --print-arch)"; 	case "$apkArch" in 		'x86_64') 			export GOARCH='amd64' GOOS='linux'; 			;; 		'armhf') 	xport GOARCH='arm' GOARM='6' GOOS='linux'; 			;; 		'armv7') 			export GOARCH='arm' GOARM='7' GOOS='linux'; 			;; 		aarch64') 			export GOARCH='arm64' GOOS='linux'; 			;; 		'x86') 			export GO386='softfloat' GOARCH='386' GOOS='linux'; 		; 		'ppc64le') 			export GOARCH='ppc64le' GOOS='linux'; 			;; 		's390x') 			export GOARCH='s390x' GOOS='linux'; 	; 		*) echo >&2 "error: unsupported architecture '$apkArch' (likely packaging update needed)"; exit 1 ;; 	esac; 		url='https://storage.googleapis.com/golang/go1.16.2.src.tar.gz'; 	sha256='37ca14287a23cb8ba2ac3f5c3dd8adbc1f7a54b9701a57824bf19a0b271f83ea'; 		wget -O go.tgz.asc "$url.asc"; 	wget -O go.tgz "$url"; 	echo "$sha256 *go.tgz" | sha256sum -c -; 		export GNUPGHOME="$(mktemp -d)"; 	gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; 	gpg --batch --verify go.tgz.asc go.tgz; 	gpgconf --kill all; 	rm -rf "$GNUPGHOME" go.tgz.asc; 		tar -C /usr/local -xzf go.tgz; 	rm go.tgz; 		( 		cd /usr/local/go/src; 		export GOROOT_BOOTSTRAP="$(go env GOROOT)" GOHOSTOS="$GOOS" GOHOSTARCH="$GOARCH"; 		if [ "${GO386:-}" = 'softfloat' ]; then 			GO386= ./bootstrap.bash; 			export GOROOT_BOOTSTRAP="/usr/local/go-$GOOS-$GOARCH-bootstrap"; 			"$GOROOT_BOOTSTRAP/bin/go" version; 		fi; 		/make.bash; 		if [ "${GO386:-}" = 'softfloat' ]; then 			rm -rf "$GOROOT_BOOTSTRAP"; 		fi; 	); 		apk del --no-network .build-deps; 	o install std; 		rm -rf 		/usr/local/go/pkg/*/cmd 		/usr/local/go/pkg/bootstrap 		/usr/local/go/pkg/obj 		/usr/local/go/pkg/tool/*/api 		usr/local/go/pkg/tool/*/go_bootstrap 		/usr/local/go/src/cmd/dist/dist 	; 		go version'
  Fixed in: 1.1.1k-r0

✗ Medium severity vulnerability found in musl/musl
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE313-MUSL-1067865
  Introduced through: musl/[email protected], busybox/[email protected], alpine-baselayout/[email protected], openssl/[email protected], openssl/[email protected], zlib/[email protected], apk-tools/[email protected], libtls-standalone/[email protected], busybox/[email protected], ca-certificates/ca-certificates@20191127-r5, musl/[email protected], pax-utils/[email protected], libc-dev/[email protected]
  From: musl/[email protected]
  From: busybox/[email protected] > musl/[email protected]
  From: alpine-baselayout/[email protected] > musl/[email protected]
  and 11 more...
  Image layer: '/bin/sh -c set -eux; 	apk add --no-cache --virtual .build-deps 		bash 		gcc 		gnupg 		go 		musl-dev 		openssl ; 	apkArch="$(apk --print-arch)"; 	case "$apkArch" in 		'x86_64') 			export GOARCH='amd64' GOOS='linux'; 			;; 		'armhf') 	xport GOARCH='arm' GOARM='6' GOOS='linux'; 			;; 		'armv7') 			export GOARCH='arm' GOARM='7' GOOS='linux'; 			;; 		aarch64') 			export GOARCH='arm64' GOOS='linux'; 			;; 		'x86') 			export GO386='softfloat' GOARCH='386' GOOS='linux'; 		; 		'ppc64le') 			export GOARCH='ppc64le' GOOS='linux'; 			;; 		's390x') 			export GOARCH='s390x' GOOS='linux'; 	; 		*) echo >&2 "error: unsupported architecture '$apkArch' (likely packaging update needed)"; exit 1 ;; 	esac; 		url='https://storage.googleapis.com/golang/go1.16.2.src.tar.gz'; 	sha256='37ca14287a23cb8ba2ac3f5c3dd8adbc1f7a54b9701a57824bf19a0b271f83ea'; 		wget -O go.tgz.asc "$url.asc"; 	wget -O go.tgz "$url"; 	echo "$sha256 *go.tgz" | sha256sum -c -; 		export GNUPGHOME="$(mktemp -d)"; 	gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; 	gpg --batch --verify go.tgz.asc go.tgz; 	gpgconf --kill all; 	rm -rf "$GNUPGHOME" go.tgz.asc; 		tar -C /usr/local -xzf go.tgz; 	rm go.tgz; 		( 		cd /usr/local/go/src; 		export GOROOT_BOOTSTRAP="$(go env GOROOT)" GOHOSTOS="$GOOS" GOHOSTARCH="$GOARCH"; 		if [ "${GO386:-}" = 'softfloat' ]; then 			GO386= ./bootstrap.bash; 			export GOROOT_BOOTSTRAP="/usr/local/go-$GOOS-$GOARCH-bootstrap"; 			"$GOROOT_BOOTSTRAP/bin/go" version; 		fi; 		/make.bash; 		if [ "${GO386:-}" = 'softfloat' ]; then 			rm -rf "$GOROOT_BOOTSTRAP"; 		fi; 	); 		apk del --no-network .build-deps; 	o install std; 		rm -rf 		/usr/local/go/pkg/*/cmd 		/usr/local/go/pkg/bootstrap 		/usr/local/go/pkg/obj 		/usr/local/go/pkg/tool/*/api 		usr/local/go/pkg/tool/*/go_bootstrap 		/usr/local/go/src/cmd/dist/dist 	; 		go version'
  Fixed in: 1.2.2_pre2-r0

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Improper Certificate Validation
  Info: https://snyk.io/vuln/SNYK-ALPINE313-OPENSSL-1089239
  Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], libtls-standalone/[email protected], ca-certificates/ca-certificates@20191127-r5
  From: openssl/[email protected]
  From: openssl/[email protected] > openssl/[email protected]
  From: apk-tools/[email protected] > openssl/[email protected]
  and 5 more...
  Image layer: '/bin/sh -c set -eux; 	apk add --no-cache --virtual .build-deps 		bash 		gcc 		gnupg 		go 		musl-dev 		openssl ; 	apkArch="$(apk --print-arch)"; 	case "$apkArch" in 		'x86_64') 			export GOARCH='amd64' GOOS='linux'; 			;; 		'armhf') 	xport GOARCH='arm' GOARM='6' GOOS='linux'; 			;; 		'armv7') 			export GOARCH='arm' GOARM='7' GOOS='linux'; 			;; 		aarch64') 			export GOARCH='arm64' GOOS='linux'; 			;; 		'x86') 			export GO386='softfloat' GOARCH='386' GOOS='linux'; 		; 		'ppc64le') 			export GOARCH='ppc64le' GOOS='linux'; 			;; 		's390x') 			export GOARCH='s390x' GOOS='linux'; 	; 		*) echo >&2 "error: unsupported architecture '$apkArch' (likely packaging update needed)"; exit 1 ;; 	esac; 		url='https://storage.googleapis.com/golang/go1.16.2.src.tar.gz'; 	sha256='37ca14287a23cb8ba2ac3f5c3dd8adbc1f7a54b9701a57824bf19a0b271f83ea'; 		wget -O go.tgz.asc "$url.asc"; 	wget -O go.tgz "$url"; 	echo "$sha256 *go.tgz" | sha256sum -c -; 		export GNUPGHOME="$(mktemp -d)"; 	gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; 	gpg --batch --verify go.tgz.asc go.tgz; 	gpgconf --kill all; 	rm -rf "$GNUPGHOME" go.tgz.asc; 		tar -C /usr/local -xzf go.tgz; 	rm go.tgz; 		( 		cd /usr/local/go/src; 		export GOROOT_BOOTSTRAP="$(go env GOROOT)" GOHOSTOS="$GOOS" GOHOSTARCH="$GOARCH"; 		if [ "${GO386:-}" = 'softfloat' ]; then 			GO386= ./bootstrap.bash; 			export GOROOT_BOOTSTRAP="/usr/local/go-$GOOS-$GOARCH-bootstrap"; 			"$GOROOT_BOOTSTRAP/bin/go" version; 		fi; 		/make.bash; 		if [ "${GO386:-}" = 'softfloat' ]; then 			rm -rf "$GOROOT_BOOTSTRAP"; 		fi; 	); 		apk del --no-network .build-deps; 	o install std; 		rm -rf 		/usr/local/go/pkg/*/cmd 		/usr/local/go/pkg/bootstrap 		/usr/local/go/pkg/obj 		/usr/local/go/pkg/tool/*/api 		usr/local/go/pkg/tool/*/go_bootstrap 		/usr/local/go/src/cmd/dist/dist 	; 		go version'
  Fixed in: 1.1.1k-r0

✗ High severity vulnerability found in busybox/busybox
  Description: Improper Handling of Exceptional Conditions
  Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1089800
  Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r5, busybox/[email protected]
  From: busybox/[email protected]
  From: alpine-baselayout/[email protected] > busybox/[email protected]
  From: ca-certificates/ca-certificates@20191127-r5 > busybox/[email protected]
  and 1 more...
  Fixed in: 1.32.1-r4



Organization:      seankhliao
Package manager:   apk
Project name:      docker-image|golang
Docker image:      golang@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8
Platform:          linux/amd64
Licenses:          enabled

Tested 15 dependencies for known issues, found 4 issues.

Pro tip: use `--file` option to get base image remediation advice.
Example: $ snyk test --docker golang@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8 --file=path/to/Dockerfile

To remove this message in the future, please run `snyk config set disableSuggestions=true`
52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791 
snyk container test golang@sha256:52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791

Testing golang@sha256:52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791...

✗ Medium severity vulnerability found in musl/musl
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE313-MUSL-1067865
  Introduced through: musl/[email protected], busybox/[email protected], alpine-baselayout/[email protected], openssl/[email protected], openssl/[email protected], zlib/[email protected], apk-tools/[email protected], libtls-standalone/[email protected], busybox/[email protected], ca-certificates/ca-certificates@20191127-r5, musl/[email protected], pax-utils/[email protected], libc-dev/[email protected]
  From: musl/[email protected]
  From: busybox/[email protected] > musl/[email protected]
  From: alpine-baselayout/[email protected] > musl/[email protected]
  and 11 more...
  Image layer: '/bin/sh -c apk add --no-cache 		ca-certificates'
  Fixed in: 1.2.2_pre2-r0

✗ High severity vulnerability found in busybox/busybox
  Description: Improper Handling of Exceptional Conditions
  Info: https://snyk.io/vuln/SNYK-ALPINE313-BUSYBOX-1089800
  Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r5, busybox/[email protected]
  From: busybox/[email protected]
  From: alpine-baselayout/[email protected] > busybox/[email protected]
  From: ca-certificates/ca-certificates@20191127-r5 > busybox/[email protected]
  and 1 more...
  Image layer: '/bin/sh -c apk add --no-cache 		ca-certificates'
  Fixed in: 1.32.1-r4



Organization:      seankhliao
Package manager:   apk
Project name:      docker-image|golang
Docker image:      golang@sha256:52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791
Platform:          linux/amd64
Licenses:          enabled

Tested 15 dependencies for known issues, found 2 issues.

Pro tip: use `--file` option to get base image remediation advice.
Example: $ snyk test --docker golang@sha256:52dbfc81ec12df22e2ab1e7c9c4f4ee3dff73514e56a54924714d29ac03ff791 --file=path/to/Dockerfile

To remove this message in the future, please run `snyk config set disableSuggestions=true`

or with your provided dockerfile either

Dockerfile 
$ docker build -t x .
[+] Building 11.2s (6/6) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                       0.2s
 => => transferring dockerfile: 521B                                                                                                                                                       0.0s
 => [internal] load .dockerignore                                                                                                                                                          0.2s
 => => transferring context: 2B                                                                                                                                                            0.0s
 => [internal] load metadata for docker.io/library/golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8                                              0.0s
 => CACHED [1/2] FROM docker.io/library/golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8                                                         0.0s
 => [2/2] RUN apk upgrade --no-cache &&     apk add --no-cache     bash     git     nodejs     npm     make     gcc musl-dev python3-dev libffi-dev openssl-dev     python3     py3-pip &  7.4s
 => exporting to image                                                                                                                                                                     3.3s
 => => exporting layers                                                                                                                                                                    3.2s
 => => writing image sha256:1d16e89bff2b139992936b2a7c40d0610aa01d10f67cea1f9727fc8ad7460e77                                                                                               0.0s
 => => naming to docker.io/library/x 


$ snyk container test --file=./Dockerfile x

Testing x...

✗ Medium severity vulnerability found in musl/musl-utils
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE313-MUSL-1067865
  Introduced through: musl/[email protected], libc-dev/[email protected], meta-common-packages@meta, musl/[email protected]
  From: musl/[email protected]
  From: libc-dev/[email protected] > musl/[email protected]
  From: meta-common-packages@meta > musl/[email protected]
  and 1 more...
  Image layer: Introduced by your base image (golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8)
  Fixed in: 1.2.2_pre2-r0



Organization:      seankhliao
Package manager:   apk
Target file:       ./Dockerfile
Project name:      docker-image|x
Docker image:      x
Platform:          linux/amd64
Base image:        golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8
Licenses:          enabled

Tested 78 dependencies for known issues, found 1 issue.

Recommendations for golang:1.16-alpine@sha256:3411aef9ae9cb0fe3534fe2a4d1a9745d952d9a5ed1e20a11ff10549731156e8 are not available, as we haven't found any recent updates to this base image.
Consider upgrading your base image.
See above for details and fixes on individual vulnerabilities

Pro tip: use `--exclude-base-image-vulns` to exclude from display Docker base image vulnerabilities.

To remove this message in the future, please run `snyk config set disableSuggestions=true`

@seankhliao seankhliao added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Apr 1, 2021
@ruffoa
Copy link
Author

ruffoa commented Apr 1, 2021

Hmm, it's possible our vulnerability scanner logic in our builds is broken, unfortunately I'm unable to test it locally due to not having access to Snyk. Thanks for looking into this for me though, guess I'll have to go through our internal logic again 😆

@ruffoa ruffoa closed this as completed Apr 1, 2021
@golang golang locked and limited conversation to collaborators Apr 1, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @ruffoa @seankhliao