Giter Club home page Giter Club logo

mimisbrunnr's Introduction

Mimisbrunnr

(Pronounced "mims-brun-er")

Build Status Dependency Updateer codecov.io Go Report Card Quality Gate Status Apache V2 License GitHub Release

Summary

Mimisbrunnr provides device level event delivery. It registers a webhook to Caduceus. Upon receiving Caduceus events, Mismisbrunnr fans out those events to any current device registrations it has. Mismisbrunnr has an API to allow consumers to register to receive events for a specific device. This registration object is called a norn.

Table of Contents

Code of Conduct

This project and everyone participating in it are governed by the XMiDT Code Of Conduct. By participating, you agree to this Code.

Details

This service is still being developed, so some details are currently unknown.

API

  • POST on /norns - creates the norn, stores it in argus, and returns norn id; if a norn with the same destination and device id exists, it updates it as long as the client owns it)
  • PUT on /norns/<id> - updates an existing norn, as long as the client owns it
  • DELETE on /norns/<id> - deletes the norn from argus, as long as the client owns it
  • GET on /norns - returns a list of norns that the client owns
  • GET on /norns/<id> - returns the norn attached to the id given, as long as the client owns it
  • POST on /events - mimisbrunnr validates the event and possibly sends it to applicable norns

Norn

A consumer will request events from a particular device to be sent to a destination. The request is called a Norn and MUST contain the following information:

  • deviceID
  • destination and required information to successfully send the message such as auth or access keys.
  • duration for how long to listen to the event. (details of this still being discussed)
  • a filter function to determine if the event should be sent. Note: not a part of the MVP.

For the remainder of that duration, events will be delivered to the destination specified with best effort.(aka not guaranteed)

Additional Design Decisions:

  • All incoming and outgoing events must be WRPs
  • There should be a maximum duration a norn can last, which will be configurable in the yaml.
  • Destinations for the MVP will only support http and sqs
  • An internal buffering system will be used, one per norn.
  • No two norns will share the exact same device ID and destination.
  • If the channel for the destination is full, the destinations will be notified and message will be dropped.

Install

Add details here.

Contributing

Refer to CONTRIBUTING.md.

mimisbrunnr's People

Contributors

denopink avatar dependabot[bot] avatar gargidb avatar j-mai avatar kcajmagic avatar kristinapathak avatar renaz6 avatar schmidtw avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

j-mai

mimisbrunnr's Issues

CVE-2024-24786 (Medium) detected in google.golang.org/protobuf-v1.28.1

CVE-2024-24786 - Medium Severity Vulnerability

Vulnerable Library - google.golang.org/protobuf-v1.28.1

Go support for Google's protocol buffers

Library home page: https://proxy.golang.org/google.golang.org/protobuf/@v/v1.28.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/prometheus/client_golang-v1.13.0 (Root Library)
    • google.golang.org/protobuf-v1.28.1 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Publish Date: 2024-03-05

URL: CVE-2024-24786

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2024-2611

Release Date: 2024-03-05

Fix Resolution: v1.33.0

Step up your Open Source Security Game with Mend here

Modify yaml to not have keys with the word "config"

mimisbrunnr/mimisbrunnr.yaml

Line 208 in 90c27ff

registryConfig:

mimisbrunnr/mimisbrunnr.yaml

Line 225 in 90c27ff

dispatcherConfig:

mimisbrunnr/mimisbrunnr.yaml

Line 236 in 90c27ff

parserConfig:

The whole file is configuration, so the word "config" doesn't help provide any specificity as to what this part of the yaml is about. We should remove the names "config", and if the name alone isn't self descriptive, we can update it to be more descriptive.

Refactor Long Functions to Increase Readability

Refactor long functions

There are a few long functions that should be refactored and broken up into more readable sections.
By default, the funlen linter has a limit of 60 lines or 40 statements per function. It is the goal to adhere to these standards.
Currently, the funlen linter in this repo is disabled, this should be enabled as part of this issue. It can be enabled by adding it to the enable section of the .golanci.yaml config file.

To Do

  • Enable funlen linter in the .golanci.yaml config file
  • Run the linter golangci-lint run
  • Refactor and break up the functions the linter complains about

Update deprecated libraries

The staticcheck linter checks for deprecated imports. This has been disabled for imports of webpa-common/v2/logging and other libraries, but should be enabled as part of this ticket. A new logger will need to be added.

To Do

  • Search for nolint:staticcheck in the repo and remove the comments
  • Run the linter golangci-lint run
  • Reconfigure logging in those files, most likely using uber/zap
  • Fix other staticcheck deprecated issues that may be in the repo

Re-assess lines ignored by the linter

At the moment, there are a few lines of code that are ignored by the linter. Re-assess whether or not these should continue to be ignored

To Do

  • Search for nolint in the repo and re-assess the results, remove the ignore if needed
  • Run the linter to make sure no issues are flagged. Fix issues if they are flagged

(unify) Fix license errors and enable checking.

Fix license errors and enable checking all the time.

Verify each license and add them to the accepted list.

Enable license checking in the action

In .github.workflows/ci.yml remove the line license-skip: true.

(unify) Use SPDX for copyright and reuse.

Copyright header update

Replace the full apache header at the top of each file with this:

// SPDX-FileCopyrightText: {{DATE}} Comcast Cable Communications Management, LLC
// SPDX-License-Identifier: Apache-2.0

Replacing {{DATE}} with the copyright date in the file.

For all go files that are not generated and are missing this header add it.

Reuse preparation

Install: reuse

Create a directory named .reuse.

Add the file .reuse/deb5 with contents based on this:

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: {{REPO}}
Upstream-Contact: {{MAINTAINER}}
Source: https://github.com/xmidt-org/{{REPO}}

Files: .golangci.yml
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: go.mod
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: go.sum
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: .gitignore
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: MAINTAINERS.md
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: README.md
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

Files: .whitesource
Copyright: SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
License: Apache-2.0

You may need to add/change files that cannot have copyright headers later.

Installing licenses

Run:

reuse download Apache-2.0

Checking the repo is compliant

Run:

reuse lint

you should see something similar to this:

# SUMMARY

* Bad licenses:
* Deprecated licenses:
* Licenses without file extension:
* Missing licenses:
* Unused licenses:
* Used licenses: Apache-2.0
* Read errors: 0
* Files with copyright information: 14 / 14
* Files with license information: 14 / 14

Congratulations! Your project is compliant with version 3.0 of the REUSE Specification :-)

If not, fix the issues.

Enable copyright checking in the action

In .github.workflows/ci.yml remove the line copyright-skip: true.

CVE-2024-28122 (Medium) detected in github.com/lestrrat-go/jwx/v2-v2.0.6

CVE-2024-28122 - Medium Severity Vulnerability

Vulnerable Library - github.com/lestrrat-go/jwx/v2-v2.0.6

Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies

Library home page: https://proxy.golang.org/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/xmidt-org/argus-v0.9.2 (Root Library)
    • github.com/xmidt-org/clortho-v0.0.4
      • github.com/lestrrat-go/jwx/v2-v2.0.6 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.

Publish Date: 2024-03-09

URL: CVE-2024-28122

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj3v-m684-v259

Release Date: 2024-03-09

Fix Resolution: v1.2.29,v2.0.21

Step up your Open Source Security Game with Mend here

CVE-2020-13949 (High) detected in github.com/open-telemetry/opentelemetry-go-v0.19.0 - autoclosed

CVE-2020-13949 - High Severity Vulnerability

Vulnerable Library - github.com/open-telemetry/opentelemetry-go-v0.19.0

OpenTelemetry Go API and SDK

Dependency Hierarchy:

  • github.com/xmidt-org/themis-v0.4.8 (Root Library)
    • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.19.0
      • github.com/open-telemetry/opentelemetry-go-v0.19.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Publish Date: 2021-02-12

URL: CVE-2020-13949

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f87a74a%40%3Cdev.thrift.apache.org%3E

Release Date: 2021-02-12

Fix Resolution: v0.14.0

Step up your Open Source Security Game with Mend here

CVE-2022-21698 (High) detected in github.com/prometheus/client_golang-v1.7.1 - autoclosed

CVE-2022-21698 - High Severity Vulnerability

Vulnerable Library - github.com/prometheus/client_golang-v1.7.1

Prometheus instrumentation library for Go applications

Dependency Hierarchy:

  • github.com/prometheus/client_golang-v1.7.1 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Publish Date: 2022-02-15

URL: CVE-2022-21698

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cg3q-j54f-5p7p

Release Date: 2022-02-15

Fix Resolution: v1.11.1

Step up your Open Source Security Game with Mend here

Bug: Patch Failing Docker Image

The Dockerfile needs to be updated to include this patch:
xmidt-org/tr1d1um@df49bb5

Steps:

  • create missing entrypoint.sh
  • fix breaking chrysom changes
  • fix breaking argus changes
  • fix breaking wrp-listener changes
  • fix linter errors
  • replace deprecated library usage of Maintainer

Endpoint cut off

This should only be done once this issue is solidifed.

When a norn's queue fills up, the whole endpoint should be cut off. This means that if multiple norns point to the same endpoint, the cut off should affect all of them.

CVE-2021-31525 (Medium) detected in github.com/golang/net-5f4716e94777e714bc2fb3e3a44599cb40817aac - autoclosed

CVE-2021-31525 - Medium Severity Vulnerability

Vulnerable Library - github.com/golang/net-5f4716e94777e714bc2fb3e3a44599cb40817aac

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/aws/aws-sdk-go-v1.33.12 (Root Library)
    • github.com/golang/net-5f4716e94777e714bc2fb3e3a44599cb40817aac (Vulnerable Library)

Found in base branch: main

Vulnerability Details

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Publish Date: 2021-05-27

URL: CVE-2021-31525

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341

Release Date: 2021-05-27

Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0

Step up your Open Source Security Game with Mend here

Move Transport

mimisbrunnr/manager/manager.go

Line 57 in a0d73f7

func NewTransport(dc dispatch.DispatcherConfig) http.RoundTripper {

Transport should be created in main.go and then passed as a dependency to the manager - after starting up, we don't update the transport. The function to create it also belongs in main.go rather than the manager itself.

CVE-2023-45142 (High) detected in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.36.1

CVE-2023-45142 - High Severity Vulnerability

Vulnerable Library - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.36.1

Collection of extensions for OpenTelemetry-Go.

Library home page: https://proxy.golang.org/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/@v/v0.36.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/xmidt-org/themis-v0.4.9 (Root Library)
    • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.36.1 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.user_agent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent. In order to be affected, a program has to use the otelhttp.NewHandler wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

Publish Date: 2023-10-12

URL: CVE-2023-45142

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rcjv-mgp8-qvmr

Release Date: 2023-10-12

Fix Resolution: instrumentation/net/http/otelhttp/v0.44.0

Step up your Open Source Security Game with Mend here

CVE-2021-33194 (High) detected in github.com/golang/net-5f4716e94777e714bc2fb3e3a44599cb40817aac - autoclosed

CVE-2021-33194 - High Severity Vulnerability

Vulnerable Library - github.com/golang/net-5f4716e94777e714bc2fb3e3a44599cb40817aac

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/aws/aws-sdk-go-v1.33.12 (Root Library)
    • github.com/golang/net-5f4716e94777e714bc2fb3e3a44599cb40817aac (Vulnerable Library)

Found in base branch: main

Vulnerability Details

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Publish Date: 2021-05-26

URL: CVE-2021-33194

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194

Release Date: 2021-05-26

Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023

Step up your Open Source Security Game with Mend here

CVE-2022-29526 (Medium) detected in github.com/golang/sys-8fe3ee5dd75b278632199a2614e4eac8235af0d0 - autoclosed

CVE-2022-29526 - Medium Severity Vulnerability

Vulnerable Library - github.com/golang/sys-8fe3ee5dd75b278632199a2614e4eac8235af0d0

[mirror] Go packages for low-level interaction with the operating system

Dependency Hierarchy:

  • github.com/prometheus/client_golang-v1.7.1 (Root Library)
    • github.com/prometheus/procfs-v0.1.3
      • github.com/golang/sys-8fe3ee5dd75b278632199a2614e4eac8235af0d0 (Vulnerable Library)

Found in HEAD commit: 87ce13055b484209ed8f3bceed05b3fd56bc5c2e

Found in base branch: main

Vulnerability Details

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Publish Date: 2022-06-23

URL: CVE-2022-29526

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2020-28851 (High) detected in github.com/golang/text-v0.3.2 - autoclosed

CVE-2020-28851 - High Severity Vulnerability

Vulnerable Library - github.com/golang/text-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

  • github.com/spf13/viper-v1.7.1 (Root Library)
    • github.com/spf13/afero-v1.1.2
      • github.com/golang/text-v0.3.2 (Vulnerable Library)

Found in HEAD commit: 87ce13055b484209ed8f3bceed05b3fd56bc5c2e

Found in base branch: main

Vulnerability Details

In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

Publish Date: 2021-01-02

URL: CVE-2020-28851

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28851

Release Date: 2021-01-02

Fix Resolution: golang-golang-x-text-dev - 0.3.6-1,0.3.6-1

Step up your Open Source Security Game with Mend here

CVE-2023-49290 (Medium) detected in github.com/lestrrat-go/jwx/v2-v2.0.6

CVE-2023-49290 - Medium Severity Vulnerability

Vulnerable Library - github.com/lestrrat-go/jwx/v2-v2.0.6

Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies

Library home page: https://proxy.golang.org/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/xmidt-org/argus-v0.9.2 (Root Library)
    • github.com/xmidt-org/clortho-v0.0.4
      • github.com/lestrrat-go/jwx/v2-v2.0.6 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a denial of service. This vulnerability has been addressed in commit 64f2a229b which has been included in release version 1.2.27 and 2.0.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-12-05

URL: CVE-2023-49290

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-49290

Release Date: 2023-12-04

Fix Resolution: v1.2.27,v2.0.18

Step up your Open Source Security Game with Mend here

CVE-2022-28131 (Medium) detected in github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc - autoclosed

CVE-2022-28131 - Medium Severity Vulnerability

Vulnerable Library - github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/aws/aws-sdk-go-v1.44.72 (Root Library)
    • github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc (Vulnerable Library)

Found in base branch: main

Vulnerability Details

CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

Publish Date: 2022-03-29

URL: CVE-2022-28131

CVSS 3 Score Details (6.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-28131

Release Date: 2022-03-29

Fix Resolution: go1.17.12,go1.18.4

Step up your Open Source Security Game with Mend here

CVE-2020-14040 (High) detected in github.com/golang/text-v0.3.2 - autoclosed

CVE-2020-14040 - High Severity Vulnerability

Vulnerable Library - github.com/golang/text-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

  • github.com/spf13/viper-v1.7.1 (Root Library)
    • github.com/spf13/afero-v1.1.2
      • github.com/golang/text-v0.3.2 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

Step up your Open Source Security Game with Mend here

CVE-2020-28852 (High) detected in github.com/golang/text-v0.3.2 - autoclosed

CVE-2020-28852 - High Severity Vulnerability

Vulnerable Library - github.com/golang/text-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

  • github.com/spf13/viper-v1.7.1 (Root Library)
    • github.com/spf13/afero-v1.1.2
      • github.com/golang/text-v0.3.2 (Vulnerable Library)

Found in HEAD commit: 87ce13055b484209ed8f3bceed05b3fd56bc5c2e

Found in base branch: main

Vulnerability Details

In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

Publish Date: 2021-01-02

URL: CVE-2020-28852

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28852

Release Date: 2021-01-02

Fix Resolution: golang-golang-x-text-dev - 0.3.5-1,0.3.5-1

Step up your Open Source Security Game with Mend here

CVE-2021-38561 (High) detected in golang.org/x/text-v0.3.5 - autoclosed

CVE-2021-38561 - High Severity Vulnerability

Vulnerable Library - golang.org/x/text-v0.3.5

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.5.zip

Dependency Hierarchy:

  • github.com/aws/aws-sdk-go-v1.33.12 (Root Library)
    • github.com/golang/net-5f4716e94777e714bc2fb3e3a44599cb40817aac
      • golang.org/x/text-v0.3.5 (Vulnerable Library)

Found in HEAD commit: 87ce13055b484209ed8f3bceed05b3fd56bc5c2e

Found in base branch: main

Vulnerability Details

Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.

Publish Date: 2021-08-12

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

Step up your Open Source Security Game with Mend here

CVE-2021-27918 (High) detected in github.com/golang/net-16171245cfb220d5317888b716d69c1fb4e7992b - autoclosed

CVE-2021-27918 - High Severity Vulnerability

Vulnerable Library - github.com/golang/net-16171245cfb220d5317888b716d69c1fb4e7992b

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/aws/aws-sdk-go-v1.33.12 (Root Library)
    • github.com/golang/net-16171245cfb220d5317888b716d69c1fb4e7992b (Vulnerable Library)

Found in HEAD commit: 87ce13055b484209ed8f3bceed05b3fd56bc5c2e

Found in base branch: main

Vulnerability Details

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

Publish Date: 2021-03-11

URL: CVE-2021-27918

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw

Release Date: 2021-03-11

Fix Resolution: 1.15.9, 1.16.1

Step up your Open Source Security Game with Mend here

Add mutex to prevent data races

mimisbrunnr/manager/manager.go

Line 104 in a0d73f7

m.nornsDispatch[norndis.norn.DeviceID] = norndis

mimisbrunnr/manager/manager.go

Line 114 in a0d73f7

for _, nd := range m.nornsDispatch {

Due to Manager function calls being called from multiple different goroutines, one goroutine could potentially be writing to the map while another is trying to read and use it. This is a problem and could cause a data race. Having a RWMutex will prevent us from having this issue:
https://godoc.org/sync#RWMutex

Rename master branch to main

Also have to change references to the branch in .travis.yml, README, and CONTRIBUTING. Double check any other markdown files as well - sometimes links have the branch name in them.

CVE-2022-30633 (Medium) detected in github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc - autoclosed

CVE-2022-30633 - Medium Severity Vulnerability

Vulnerable Library - github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/aws/aws-sdk-go-v1.44.72 (Root Library)
    • github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc (Vulnerable Library)

Found in HEAD commit: 87ce13055b484209ed8f3bceed05b3fd56bc5c2e

Found in base branch: main

Vulnerability Details

CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

Publish Date: 2022-05-13

URL: CVE-2022-30633

CVSS 3 Score Details (6.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-30633

Release Date: 2022-05-13

Fix Resolution: go1.17.12,go1.18.4

Step up your Open Source Security Game with Mend here

WS-2023-0177 (Medium) detected in github.com/lestrrat-go/jwx/v2-v2.0.6

WS-2023-0177 - Medium Severity Vulnerability

Vulnerable Library - github.com/lestrrat-go/jwx/v2-v2.0.6

Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies

Library home page: https://proxy.golang.org/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/xmidt-org/argus-v0.9.2 (Root Library)
    • github.com/xmidt-org/clortho-v0.0.4
      • github.com/lestrrat-go/jwx/v2-v2.0.6 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

github.com/lestrrat-go/jwx vulnerable to Potential Padding Oracle Attack

Publish Date: 2023-06-14

URL: WS-2023-0177

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rm8v-mxj3-5rmq

Release Date: 2023-06-14

Fix Resolution: v1.2.26,v2.0.11

Step up your Open Source Security Game with Mend here

(unify) Fix linting errors and enable checking.

Fix linting errors and enable checking all the time.

If possible, fix all the lint errors or mark them as "accepted".

Enable lint checking in the action

In .github.workflows/ci.yml remove the line lint-skip: true.

CVE-2021-44716 (High) detected in github.com/golang/net-16171245cfb220d5317888b716d69c1fb4e7992b - autoclosed

CVE-2021-44716 - High Severity Vulnerability

Vulnerable Library - github.com/golang/net-16171245cfb220d5317888b716d69c1fb4e7992b

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/aws/aws-sdk-go-v1.33.12 (Root Library)
    • github.com/golang/net-16171245cfb220d5317888b716d69c1fb4e7992b (Vulnerable Library)

Found in base branch: main

Vulnerability Details

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Publish Date: 2022-01-01

URL: CVE-2021-44716

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vc3p-29h2-gpcp

Release Date: 2022-01-01

Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70

Step up your Open Source Security Game with Mend here

CVE-2024-21664 (High) detected in github.com/lestrrat-go/jwx/v2-v2.0.6

CVE-2024-21664 - High Severity Vulnerability

Vulnerable Library - github.com/lestrrat-go/jwx/v2-v2.0.6

Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies

Library home page: https://proxy.golang.org/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/xmidt-org/argus-v0.9.2 (Root Library)
    • github.com/xmidt-org/clortho-v0.0.4
      • github.com/lestrrat-go/jwx/v2-v2.0.6 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.

Publish Date: 2024-01-09

URL: CVE-2024-21664

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pvcr-v8j8-j5q3

Release Date: 2024-01-09

Fix Resolution: v1.2.28, v2.0.19

Step up your Open Source Security Game with Mend here

Split up Dispatcher

Dispatcher really be two different components/structs/interfaces:

  • one thing that has a queue and decides whether or not to send an event given the device id / norn (give this a different interface name)
  • one thing that is configured to the specific endpoint, which can be used by multiple of the first thing (this should be called the dispatcher since it is actually dispatching the event)

They shouldn't be the same interface, because given the interface here:
https://github.com/xmidt-org/mimisbrunnr/blob/main/dispatch/dispatch.go#L54

  • The filtering struct needs to know the deviceID, but the dispatcher doesn't care.
  • When we add cut off functionality, the interfaces will likely diverge more.

They will likely both need to be updated, but exactly how that works I haven't thought through. Given that multiple filtering interfaces will use the same dispatcher, the manager should have some map/list/something for each dispatcher in order to pass along an existing dispatcher to a newly created filtering struct thing.

Some things I thought of but haven't fully thought through yet:

  • Though they both need to be updated, it might be that the manager will split up a norn's information and update them separately? Also - what happens if just one endpoint is updated with new auth information? (this could be a good reason to have separate dispatchers for each filtering struct but would make it difficult to cut off all dispatchers to a specific endpoint)
  • How do we know a dispatcher is no longer being used by any filtering structs in order to clean it up from the manager?

CVE-2022-28948 (Medium) detected in github.com/go-yaml/yaml-v2.4.0 - autoclosed

CVE-2022-28948 - Medium Severity Vulnerability

Vulnerable Library - github.com/go-yaml/yaml-v2.4.0

YAML support for the Go language.

Dependency Hierarchy:

  • github.com/xmidt-org/argus/chrysom-v0.3.10 (Root Library)
    • github.com/xmidt-org/webpa-common/xmetrics-v1.11.5
      • github.com/xmidt-org/webpa-common/logging-v1.11.5
        • github.com/spf13/viper-v1.8.0
          • github.com/go-yaml/yaml-v2.4.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fm53-mpmp-7qw2

Release Date: 2022-05-19

Fix Resolution: v3.0.0

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.