Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHSA-hgwp-4vp4-qmm2 has no published or compatible non-vulnerable versions #1742

Open
uhthomas opened this issue Mar 2, 2023 · 10 comments · Fixed by #1743
Open

GHSA-hgwp-4vp4-qmm2 has no published or compatible non-vulnerable versions #1742

uhthomas opened this issue Mar 2, 2023 · 10 comments · Fixed by #1743

Comments

@uhthomas
Copy link

uhthomas commented Mar 2, 2023

google/osv.dev#1084

image

  proxy | time="2023-03-02T10:45:00Z" level=info msg="proxy starting" commit=a70cda06add871b91a3f6a8d40365a448de324f9
  proxy | 2023/03/02 10:45:00 Listening (:1080)
updater | 2023-03-02T10:45:00.207699789 [617562476:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-03-02T10:45:02Z" level=info msg="guest starting" commit=4ae6ef7ddf5013e186fd11c1e502a41a31d5d83c
updater | time="2023-03-02T10:45:02Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=617562476 updater_timeout=45m0s updater_version=f75ae402e788a59667156890f3c8742b220421e2-gomod
updater | I, [2023-03-02T10:45:04.140706 #8]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_617562476> Starting job processing
  proxy | 2023/03/02 10:45:05 [002] GET https://github.com:443/uhthomas/renovate20706/info/refs?service=git-upload-pack
  proxy | 2023/03/02 10:45:05 [002] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 10:45:05 [002] 200 https://github.com:443/uhthomas/renovate20706/info/refs?service=git-upload-pack
  proxy | 2023/03/02 10:45:05 [004] POST https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 10:45:05 [004] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 10:45:05 [004] 200 https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 10:45:05 [006] POST https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 10:45:05 [006] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 10:45:05 [006] 200 https://github.com:443/uhthomas/renovate20706/git-upload-pack
updater | INFO <job_617562476> Finished job processing
updater | time="2023-03-02T10:45:06Z" level=info msg="task complete" container_id=job-617562476-file-fetcher exit_code=0 job_id=617562476 step=fetcher
updater | I, [2023-03-02T10:45:07.634492 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_617562476> Starting job processing
updater | INFO <job_617562476> Starting update job for uhthomas/renovate20706
  proxy | 2023/03/02 10:45:08 [008] GET https://google.golang.org:443/genproto?go-get=1
  proxy | 2023/03/02 10:45:08 [008] 200 https://google.golang.org:443/genproto?go-get=1
updater | INFO <job_617562476> Checking if github.com/cloudflare/cloudflared 0.0.0-20230302083451-354281fc6a29 needs updating
  proxy | 2023/03/02 10:45:10 [012] GET https://proxy.golang.org:443/github.com/cloudflare/cloudflared/@v/list
  proxy | 2023/03/02 10:45:10 [012] 200 https://proxy.golang.org:443/github.com/cloudflare/cloudflared/@v/list
updater | INFO <job_617562476> Latest version is 0.0.0-20230302083451-354281fc6a29
updater | INFO <job_617562476> Dependabot can't find a published or compatible non-vulnerable version for github.com/cloudflare/cloudflared. The latest available version is 0.0.0-20230302083451-354281fc6a29
updater | INFO <job_617562476> Finished job processing
updater | INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | time="2023-03-02T10:45:11Z" level=info msg="task complete" container_id=job-617562476-updater exit_code=0 job_id=617562476 step=updater
@rarkins
Copy link

rarkins commented Mar 2, 2023

As this refers to the Go ecosystem, it shoudl be something like fixed: v0.0.0-20200820-9323844. Any releases sorting after that should be non-vulnerable.

I believe this was the tag it was fixed in: cloudflare/cloudflared@9323844

uhthomas added a commit to uhthomas/advisory-database that referenced this issue Mar 2, 2023
@uhthomas
GHSA-hgwp-4vp4-qmm2: Publish Go module psuedo-version
ebdbe15 
The version "2020.8.1" is not recognised as valid and therefore matches no
revisions of the package. A "psuedo-version" will be matched correctly.

https://go.dev/ref/mod#pseudo-versions

Fixes github#1742

Signed-off-by: Thomas Way <tway@cloudflare.com>
uhthomas added a commit to uhthomas/advisory-database that referenced this issue Mar 2, 2023
@uhthomas
GHSA-hgwp-4vp4-qmm2: Publish Go module psuedo-version
05d7620 
The version "2020.8.1" is not recognised as valid and therefore matches no
revisions of the package. A "psuedo-version" will be matched correctly.

https://go.dev/ref/mod#pseudo-versions

Fixes github#1742

Signed-off-by: Thomas Way <tway@cloudflare.com>
uhthomas added a commit to uhthomas/advisory-database that referenced this issue Mar 2, 2023
@uhthomas
GHSA-hgwp-4vp4-qmm2: Publish psuedo-version
31b7edc 
The version "2020.8.1" is not recognised as valid and therefore matches no
revisions of the package. A "psuedo-version" will be matched correctly.

https://go.dev/ref/mod#pseudo-versions

Fixes github#1742

Signed-off-by: Thomas Way <tway@cloudflare.com>
@uhthomas uhthomas mentioned this issue Mar 2, 2023
Merged
uhthomas added a commit to uhthomas/advisory-database that referenced this issue Mar 2, 2023
@uhthomas
GHSA-hgwp-4vp4-qmm2: Use psuedo-version
8dbf68e 
The version "2020.8.1" is not recognised as valid and therefore matches no
revisions of the package. A "psuedo-version" will be matched correctly.

https://go.dev/ref/mod#pseudo-versions

Fixes github#1742

Signed-off-by: Thomas Way <tway@cloudflare.com>
uhthomas added a commit to uhthomas/advisory-database that referenced this issue Mar 2, 2023
@uhthomas
GHSA-hgwp-4vp4-qmm2: Use psuedo-version
090c384 
The version "2020.8.1" is not recognised as valid and therefore matches no
revisions of the package. A "psuedo-version" will be matched correctly.

https://go.dev/ref/mod#pseudo-versions

Fixes github#1742

Signed-off-by: Thomas Way <tway@cloudflare.com>
@shelbyc
Copy link

shelbyc commented Mar 2, 2023

@uhthomas I just tried putting the pseudoversion in the advisory. What does the alert page look like now?

@uhthomas
Copy link
Author

uhthomas commented Mar 2, 2023
edited

Cool! The Dependabot warning is gone and Renovate has closed the incorrect security fix PR.

uhthomas/renovate20706#4, replaced instead with a normal dependency update PR uhthomas/renovate20706#5.

image

image

@uhthomas
Copy link
Author

uhthomas commented Mar 2, 2023

As a sanity check, I downgraded the dependency to a known vulnerable version and the security warning came back as expected.

image

@uhthomas
Copy link
Author

uhthomas commented Mar 2, 2023

Though, Dependabot still isn't happy about something it seems.

image

  proxy | time="2023-03-02T22:07:44Z" level=info msg="proxy starting" commit=a70cda06add871b91a3f6a8d40365a448de324f9
  proxy | 2023/03/02 22:07:44 Listening (:1080)
updater | 2023-03-02T22:07:44.826920763 [617990696:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-03-02T22:07:48Z" level=info msg="guest starting" commit=4ae6ef7ddf5013e186fd11c1e502a41a31d5d83c
updater | time="2023-03-02T22:07:48Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=617990696 updater_timeout=45m0s updater_version=b9aea0dd92aaa11a4c73d95a57d26990b0fc5bd4-gomod
updater | I, [2023-03-02T22:07:51.574673 #6]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_617990696> Starting job processing
  proxy | 2023/03/02 22:07:53 [002] GET https://github.com:443/uhthomas/renovate20706/info/refs?service=git-upload-pack
  proxy | 2023/03/02 22:07:53 [002] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 22:07:53 [002] 200 https://github.com:443/uhthomas/renovate20706/info/refs?service=git-upload-pack
  proxy | 2023/03/02 22:07:53 [004] POST https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 22:07:53 [004] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 22:07:53 [004] 200 https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 22:07:53 [006] POST https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 22:07:53 [006] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 22:07:53 [006] 200 https://github.com:443/uhthomas/renovate20706/git-upload-pack
updater | INFO <job_617990696> Finished job processing
updater | time="2023-03-02T22:07:54Z" level=info msg="task complete" container_id=job-617990696-file-fetcher exit_code=0 job_id=617990696 step=fetcher
updater | I, [2023-03-02T22:07:55.969757 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_617990696> Starting job processing
updater | INFO <job_617990696> Starting update job for uhthomas/renovate20706
  proxy | 2023/03/02 22:07:56 [010] GET https://google.golang.org:443/genproto?go-get=1
  proxy | 2023/03/02 22:07:57 [010] 200 https://google.golang.org:443/genproto?go-get=1
updater | INFO <job_617990696> Checking if github.com/cloudflare/cloudflared 0.0.0-20200630175554-dbe351620448 needs updating
  proxy | 2023/03/02 22:07:57 [014] GET https://proxy.golang.org:443/github.com/cloudflare/cloudflared/@v/list
  proxy | 2023/03/02 22:07:57 [014] 200 https://proxy.golang.org:443/github.com/cloudflare/cloudflared/@v/list
updater | INFO <job_617990696> Latest version is 0.0.0-20200630175554-dbe351620448
updater | INFO <job_617990696> Dependabot can't find a published or compatible non-vulnerable version for github.com/cloudflare/cloudflared. The latest available version is 0.0.0-20200630175554-dbe351620448
updater | INFO <job_617990696> Finished job processing
updater | INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------------------------------------------------------+
updater | |                 Dependencies failed to update                 |
updater | +-----------------------------------+---------------------------+
updater | | github.com/cloudflare/cloudflared | security_update_not_found |
updater | +-----------------------------------+---------------------------+
updater | time="2023-03-02T22:07:58Z" level=info msg="task complete" container_id=job-617990696-updater exit_code=0 job_id=617990696 step=updater

It seems like some strange behaviour with how Dependabot finds dependency versions as Renovate seems able to manage.

@mctofu
Copy link

mctofu commented Apr 11, 2023

For go modules, Dependabot only supports updates using semver versions that are compatible with go modules. This is how we'd find the available versions:

% go list -m -versions github.com/cloudflare/cloudflared
github.com/cloudflare/cloudflared

% go list -m -versions github.com/coredns/coredns       
github.com/coredns/coredns v0.9.9 v0.9.10 v1.0.0 v1.0.1 v1.0.2 v1.0.3 v1.0.4 v1.0.5 v1.0.6 v1.1.0 v1.1.1 v1.1.2 v1.1.3 v1.1.4 v1.2.0 v1.2.1 v1.2.2 v1.2.3 v1.2.4 v1.2.5 v1.2.6 v1.3.0 v1.3.1 v1.4.0 v1.5.0 v1.5.1 v1.5.2 v1.6.0 v1.6.1 v1.6.2 v1.6.3 v1.6.4 v1.6.5 v1.6.6 v1.6.7 v1.6.8 v1.6.9 v1.7.0 v1.7.1 v1.8.0 v1.8.1 v1.8.2 v1.8.3 v1.8.4 v1.8.5 v1.8.6 v1.8.7 v1.9.0 v1.9.1 v1.9.2 v1.9.3 v1.9.4 v1.10.0 v1.10.1

cloudflared returns no results. While cloudflared is tagging their repo with semver-ish versions like 2020.8.1 these aren't compatible with go modules because it doesn't follow the major version rules.

It could be possible to allow Dependabot to try updating a later commit instead but may not be worth the effort to support non-conforming modules. I'm not sure this module is intended to be used as a dependency based on their versioning scheme.

@uhthomas
Copy link
Author

FWIW it is intended to be used as a dependency. We do so for some projects internally. I think we agree the versioning scheme is weird and I believe the authors are interested in using a more compliant semver scheme at some point.

@mctofu
Copy link

mctofu commented Aug 7, 2023

Just following up from the dependabot-updates end. We don't intend to support the non-conforming versioning scheme used by github.com/cloudflare/cloudflared so this is expected behavior for update attempts. If the library switches to a scheme that returns results from the go list -m -versions command then updates will work.

@uhthomas
Copy link
Author

uhthomas commented Aug 7, 2023

Just following up from the dependabot-updates end. We don't intend to support the non-conforming versioning scheme used by github.com/cloudflare/cloudflared so this is expected behavior for update attempts. If the library switches to a scheme that returns results from the go list -m -versions command then updates will work.

Pseudo versions like we provided to fix the issue should continue to work though, right?

@mctofu
Copy link

mctofu commented Aug 7, 2023

Pseudo versions like we provided to fix the issue should continue to work though, right?

Yup, they'll work for Dependabot alerting & it's the correct way to list them in the advisory as that's how the versions are captured in the go.mod (ignoring the invalid version and capturing the commit info instead). We just won't be able to create fix PRs which is a problem with github.com/cloudflare/cloudflared and not the advisory. We can create a PR that gets you from a vulnerable psuedo version to a fixed non-psudeo version but we won't update from psuedo version to another psuedo version as the go list -m versions command doesn't return psuedo versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

GHSA-hgwp-4vp4-qmm2: Use psuedo-version uhthomas/advisory-database
4 participants
@mctofu @shelbyc @rarkins @uhthomas