Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-24356 does not match correctly #1084

Closed
uhthomas opened this issue Mar 2, 2023 · 5 comments
Closed

CVE-2020-24356 does not match correctly #1084

uhthomas opened this issue Mar 2, 2023 · 5 comments

Comments

@uhthomas
Copy link

uhthomas commented Mar 2, 2023

Both Renovate and GitHub's Dependabot match the version of https://github.com/cloudflare/cloudflared incorrectly. The CVE claims that any versions which match >=2020.8.1 should be fine to use, but warnings are incorrectly raised for versions newer than this.

Originally raised as https://github.com/renovatebot/renovate/issues/20706.

As mentioned in the above issue, I believe this may be due to how OSV and other tools matches against versions. The project in question uses a versioning scheme <year>.<month>.<minor> whereas the version in a Go module is written as v0.0.0-20230302084805-4c3417fedda9.

image
@rarkins
Copy link

rarkins commented Mar 2, 2023

What is the raw OSV data for this vulnerability?

@uhthomas
Copy link
Author

uhthomas commented Mar 2, 2023
edited

This warning might also be helpful.

image

  proxy | time="2023-03-02T10:45:00Z" level=info msg="proxy starting" commit=a70cda06add871b91a3f6a8d40365a448de324f9
  proxy | 2023/03/02 10:45:00 Listening (:1080)
updater | 2023-03-02T10:45:00.207699789 [617562476:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-03-02T10:45:02Z" level=info msg="guest starting" commit=4ae6ef7ddf5013e186fd11c1e502a41a31d5d83c
updater | time="2023-03-02T10:45:02Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=617562476 updater_timeout=45m0s updater_version=f75ae402e788a59667156890f3c8742b220421e2-gomod
updater | I, [2023-03-02T10:45:04.140706 #8]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_617562476> Starting job processing
  proxy | 2023/03/02 10:45:05 [002] GET https://github.com:443/uhthomas/renovate20706/info/refs?service=git-upload-pack
  proxy | 2023/03/02 10:45:05 [002] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 10:45:05 [002] 200 https://github.com:443/uhthomas/renovate20706/info/refs?service=git-upload-pack
  proxy | 2023/03/02 10:45:05 [004] POST https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 10:45:05 [004] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 10:45:05 [004] 200 https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 10:45:05 [006] POST https://github.com:443/uhthomas/renovate20706/git-upload-pack
  proxy | 2023/03/02 10:45:05 [006] * authenticating git server request (host: github.com)
  proxy | 2023/03/02 10:45:05 [006] 200 https://github.com:443/uhthomas/renovate20706/git-upload-pack
updater | INFO <job_617562476> Finished job processing
updater | time="2023-03-02T10:45:06Z" level=info msg="task complete" container_id=job-617562476-file-fetcher exit_code=0 job_id=617562476 step=fetcher
updater | I, [2023-03-02T10:45:07.634492 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_617562476> Starting job processing
updater | INFO <job_617562476> Starting update job for uhthomas/renovate20706
  proxy | 2023/03/02 10:45:08 [008] GET https://google.golang.org:443/genproto?go-get=1
  proxy | 2023/03/02 10:45:08 [008] 200 https://google.golang.org:443/genproto?go-get=1
updater | INFO <job_617562476> Checking if github.com/cloudflare/cloudflared 0.0.0-20230302083451-354281fc6a29 needs updating
  proxy | 2023/03/02 10:45:10 [012] GET https://proxy.golang.org:443/github.com/cloudflare/cloudflared/@v/list
  proxy | 2023/03/02 10:45:10 [012] 200 https://proxy.golang.org:443/github.com/cloudflare/cloudflared/@v/list
updater | INFO <job_617562476> Latest version is 0.0.0-20230302083451-354281fc6a29
updater | INFO <job_617562476> Dependabot can't find a published or compatible non-vulnerable version for github.com/cloudflare/cloudflared. The latest available version is 0.0.0-20230302083451-354281fc6a29
updater | INFO <job_617562476> Finished job processing
updater | INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | time="2023-03-02T10:45:11Z" level=info msg="task complete" container_id=job-617562476-updater exit_code=0 job_id=617562476 step=updater

@rarkins
Copy link

rarkins commented Mar 2, 2023

Raw data is here: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-hgwp-4vp4-qmm2/GHSA-hgwp-4vp4-qmm2.json

And especially as that repo accepts Pull Requests, it sounds like it would be better to raise this issue there.

@uhthomas
Copy link
Author

uhthomas commented Mar 2, 2023

Looks like the original Renovate issue was deleted, reproduction repository: https://github.com/uhthomas/renovate20706

@uhthomas
Copy link
Author

uhthomas commented Mar 2, 2023

Thanks @rarkins. I'll open another issue there.

@uhthomas uhthomas mentioned this issue Mar 2, 2023
Open
@uhthomas uhthomas closed this as completed Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rarkins @uhthomas