Skip to content

please release a new version of the api module to make vulnerability scanners happy #10674

Description

@eli-darkly

This issue is a replacement for #10597. When I filed that one, I had some misunderstandings that muddied the waters; the underlying problem is described better here.

Briefly: we've become aware that at least one vulnerability scanning tool (Black Duck)—and/or whatever vulnerability database it is using, which other similar products may also be using—identifies vulnerable versions of Consul very generally as being vulnerable versions of any Go module in this repo with a matching version tag. For instance, https://nvd.nist.gov/vuln/detail/CVE-2019-12291 describes a vulnerability in "Hashicorp Consul 1.4.0 and 1.5.0". It is clearly referring to the Consul agent, not the API client; the vulnerability as described is a server-side issue. Nevertheless, if my software uses v1.5.0 of github.com/hashicorp/consul/api, the scanner regards that dependency as being simply "Consul v1.5.0" and flags this as unacceptable.

For this and several other CVEs (see below), it is not possible to work around this problem by updating to a newer version of the api module that happens to match a fixed version of the root module (an update that wouldn't be fixing an actual vulnerability, but would nevertheless satisfy the scanner)... because no such version exists. For obvious reasons the api module is released much less frequently than the main product, and it hasn't had a release since these CVEs were fixed, so the minimum acceptable versions of "Consul" per the CVE are higher than the last patch of api.

This isn't exactly your problem, but it is a real problem. We can only get so far by telling our customers "these are not real vulnerabilities", and we can't count on the makers of these scanning products to make their logic more sophisticated. So unless there's some other workaround I've missed, the only options are 1. we switch to using a fork of this repo (doable, but a semi-breaking change and bad for maintainability) or 2. you release a version of api with no code changes, just to catch its versioning up to the root module. I hope you'll either consider this or let me know if there's another option.

The CVEs we're being flagged on are http://nvd.nist.gov/vuln/detail/CVE-2019-12291, http://nvd.nist.gov/vuln/detail/CVE-2020-7219, http://nvd.nist.gov/vuln/detail/CVE-2020-13250, http://nvd.nist.gov/vuln/detail/CVE-2020-13170, http://nvd.nist.gov/vuln/detail/CVE-2020-7955, http://nvd.nist.gov/vuln/detail/CVE-2020-12797, http://nvd.nist.gov/vuln/detail/CVE-2020-25864, and http://nvd.nist.gov/vuln/detail/CVE-2020-28053.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions