Graphviz Update?

[lespea]

One of our internal scanning tools identified the following CVEs present in the included graphviz library: CVE-2019-9904 & CVE-2019-11023. I haven't validated those but I do believe the library is a handful of version behind anyway... not sure how much work it is updating the library code?

[Vithanco]

Indeed, this looks like a valid question. Can we update Graphviz? It currently looks like the Graphviz source and GO source are intermingled. Can we do this differently?

[little-nil]

Do me a favor. I have the same problem

[Vithanco]

Btw, this looks like a really great library. The description sounds like this is my dream.
So, this wasn't meant as criticism. I am more interested whether it makes sense to get involved... Hence my request. Can we create this maybe as a fork of Graphviz itself? With the sources of this library as true extension of this fork? I noticed that Graphviz got some maintainers and is picking up speed.

Or any better idea?

I am willing to add some hours to that endeavour as well, but only started learning Go, so I would need help.

[goccy]

I'll prepare a mechanism to easily update the C source of Graphviz.
For example, use the following command ( make update/graphviz/{version})

make update/graphviz/2.40.1

[Vithanco]

this sounds fantastic!

[little-nil]

I'll prepare a mechanism to easily update the C source of Graphviz. For example, use the following command ( make update/graphviz/{version})

make update/graphviz/2.40.1

I finally got you.
You are the god of salvation.
This is a moment to celebrate!

[Vithanco]

Did you ever try to compile towards WebAssembly?

[Vithanco]

I assume WebAssembly doesn't work:
imports github.com/goccy/go-graphviz/internal/ccall: build constraints exclude all Go files in ${MyPATH}/pkg/mod/github.com/goccy/go-graphviz@v0.0.9/internal/ccall

[TimJJTing]

Any updates on this?

[spacedub]

@Vithanco did you end-up having a functioning fork with updated upstream graphviz?

[Vithanco]

Sorry, after some further consideration did I choose JavaScript over Go. But I still thinking this is a great library.

Thanks for the follow up & good luck!

[spacedub]

@goccy would love to see this happen - and of course happy to help if you can provide some pointers.

[esnible]

The "Mend" tool complains about three CVEs in the embedded version of GraphViz. Consider replacing the current GraphViz source with newer source. I looked up Mend's complaints, here they are:

• https://www.mend.io/vulnerability-database/CVE-2020-18032
  • High severity
  • Buffer Overflow in … "lib/common/shapes.c" component.
    • https://github.com/goccy/go-graphviz/blob/master/internal/ccall/common/shapes.c
    • GraphViz has moved on to https://gitlab.com/graphviz/graphviz/-/blob/main/lib/common/shapes.c
• https://www.mend.io/vulnerability-database/CVE-2019-11023
  • High severity
  • The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference
    • https://github.com/goccy/go-graphviz/blob/master/internal/ccall/cgraph/obj.c
    • GraphViz has moved on to https://gitlab.com/graphviz/graphviz/-/blob/main/lib/cgraph/obj.c
• https://www.mend.io/vulnerability-database/CVE-2019-9904
  • Medium severity
  • lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c
    • https://github.com/goccy/go-graphviz/blob/master/internal/ccall/cgraph/graph.c
    • GraphViz has moved on to https://gitlab.com/graphviz/graphviz/-/blob/main/lib/cgraph/graph.c