gogo protobuf CVE-2021-3121 (< 1.3.2) in go.sum (indirect dependencies)

[Emeka-MSFT]

Problem

The go.sum file contains references to the older protobuf versions.

• Doesn't this mean that Telegraf depends on components that required/use the older/vulnerable versions?
• If this is correct, then would these Telegraf dependencies need to be updated as well?

Related Issue

This is related to issue #9181 with fix #9190

Vulnerable (Indirect) Dependencies

The output below is from running go mod graph and filtering for the vulnerable versions.
I think these should either be updated or removed from Telegraf dependency chain.

github.com/signalfx/com_signalfx_metrics_protobuf@v0.0.2 github.com/gogo/protobuf@v1.3.1
github.com/containerd/ttrpc@v1.0.2 github.com/gogo/protobuf@v1.3.1
github.com/gogo/googleapis@v1.4.0 github.com/gogo/protobuf@v1.3.1
github.com/openzipkin/zipkin-go@v0.2.1 github.com/gogo/protobuf@v1.2.0
github.com/influxdata/influxdb@v1.8.4 github.com/gogo/protobuf@v1.3.1
github.com/prometheus/alertmanager@v0.21.0 github.com/gogo/protobuf@v1.3.1
github.com/gogo/protobuf@v1.3.1 github.com/kisielk/errcheck@v1.2.0
github.com/gogo/protobuf@v1.3.1 github.com/kisielk/gotool@v1.0.0
github.com/containerd/typeurl@v1.0.1 github.com/gogo/protobuf@v1.3.1
go.etcd.io/etcd@v0.5.0-alpha.5.0.20200910180754-dd1b699fc489 github.com/gogo/protobuf@v1.2.1
github.com/spf13/viper@v1.7.1 github.com/gogo/protobuf@v1.2.1
github.com/lightstep/lightstep-tracer-go@v0.18.1 github.com/gogo/protobuf@v1.2.1
github.com/openzipkin/zipkin-go@v0.2.2 github.com/gogo/protobuf@v1.2.0
go.etcd.io/etcd@v0.0.0-20191023171146-3cf2f69b5738 github.com/gogo/protobuf@v1.2.1
google.golang.org/grpc@v1.20.0 github.com/gogo/protobuf@v1.2.0
github.com/influxdata/influxql@v1.1.1-0.20200828144457-65d3ef77d385 github.com/gogo/protobuf@v1.3.1
github.com/grpc-ecosystem/go-grpc-middleware@v1.2.2 github.com/gogo/protobuf@v1.2.1
github.com/spf13/viper@v1.6.2 github.com/gogo/protobuf@v1.2.1
github.com/containerd/cgroups@v0.0.0-20210114181951-8a68de567b68 github.com/gogo/protobuf@v1.3.1
github.com/prometheus/common@v0.4.1 github.com/gogo/protobuf@v1.1.1
github.com/containerd/zfs@v0.0.0-20210301145711-11e8f1707f62 github.com/gogo/protobuf@v1.3.1
k8s.io/api@v0.20.1 github.com/gogo/protobuf@v1.3.1
k8s.io/apimachinery@v0.20.1 github.com/gogo/protobuf@v1.3.1
k8s.io/apiserver@v0.20.1 github.com/gogo/protobuf@v1.3.1
k8s.io/client-go@v0.20.1 github.com/gogo/protobuf@v1.3.1
k8s.io/cri-api@v0.20.1 github.com/gogo/protobuf@v1.3.1
github.com/spf13/viper@v1.4.0 github.com/gogo/protobuf@v1.2.1
k8s.io/api@v0.20.4 github.com/gogo/protobuf@v1.3.1
k8s.io/apimachinery@v0.20.4 github.com/gogo/protobuf@v1.3.1
k8s.io/apiserver@v0.20.4 github.com/gogo/protobuf@v1.3.1
k8s.io/client-go@v0.20.4 github.com/gogo/protobuf@v1.3.1
k8s.io/cri-api@v0.20.4 github.com/gogo/protobuf@v1.3.1
github.com/gogo/protobuf@v1.2.1 github.com/kisielk/errcheck@v1.1.0
github.com/prometheus/common@v0.2.0 github.com/gogo/protobuf@v1.1.1
github.com/spf13/viper@v1.7.0 github.com/gogo/protobuf@v1.2.1
github.com/lightstep/lightstep-tracer-common/golang/gogo@v0.0.0-20190605223551-bc2310a04743 github.com/gogo/protobuf@v1.2.1
github.com/containerd/cgroups@v0.0.0-20200824123100-0b889c03f102 github.com/gogo/protobuf@v1.3.1
github.com/Microsoft/hcsshim@v0.8.14 github.com/gogo/protobuf@v1.3.1
github.com/Microsoft/hcsshim@v0.8.9 github.com/gogo/protobuf@v1.3.1
github.com/containerd/ttrpc@v1.0.1 github.com/gogo/protobuf@v1.3.1
github.com/containerd/cgroups@v0.0.0-20200710171044-318312a37340 github.com/gogo/protobuf@v1.3.1
github.com/prometheus/common@v0.4.0 github.com/gogo/protobuf@v1.1.1
github.com/prometheus/tsdb@v0.7.1 github.com/gogo/protobuf@v1.1.1
github.com/openzipkin/zipkin-go@v0.1.6 github.com/gogo/protobuf@v1.2.0
github.com/Microsoft/hcsshim/test@v0.0.0-20201218223536-d3e5debf77da github.com/gogo/protobuf@v1.3.1
github.com/containerd/aufs@v0.0.0-20200908144142-dab0cbea06f4 github.com/gogo/protobuf@v1.3.1
github.com/containerd/imgcrypt@v1.0.1 github.com/gogo/protobuf@v1.2.1
github.com/containerd/zfs@v0.0.0-20200918131355-0a33824f23a2 github.com/gogo/protobuf@v1.3.1
github.com/containerd/cgroups@v0.0.0-20200531161412-0dbf7f05ba59 github.com/gogo/protobuf@v1.3.1
github.com/containerd/cgroups@v0.0.0-20190919134610-bf292b21730f github.com/gogo/protobuf@v1.2.1
github.com/Microsoft/hcsshim@v0.8.7 github.com/gogo/protobuf@v1.2.1
github.com/gogo/googleapis@v1.2.0 github.com/gogo/protobuf@v1.2.1
k8s.io/cri-api@v0.17.3 github.com/gogo/protobuf@v1.2.2-0.20190723190241-65acae22fc9d
github.com/containerd/ttrpc@v0.0.0-20191028202541-4f1b8fe65a5c github.com/gogo/protobuf@v1.2.1
github.com/containerd/typeurl@v0.0.0-20190911142611-5eb25027c9fd github.com/gogo/protobuf@v1.3.0
github.com/gogo/protobuf@v1.2.2-0.20190723190241-65acae22fc9d github.com/kisielk/errcheck@v1.2.0
github.com/gogo/protobuf@v1.2.2-0.20190723190241-65acae22fc9d github.com/kisielk/gotool@v1.0.0
github.com/gogo/protobuf@v1.3.0 github.com/kisielk/errcheck@v1.2.0
github.com/gogo/protobuf@v1.3.0 github.com/kisielk/gotool@v1.0.0

[powersj]

Hi,

If you believe that there is a security issue in Telegraf, I would ask that you use the disclosure process laid out by the project. When you filed this bug, there was an option for "Report a security vulnerability". That would have taken you to the security.md, which lists how to disclose a vulnerability.

go mod graph is not a method to find vulnerabilities. The graph docs mention how the output shows the "Each edge in the graph represents a requirement on a minimum version of a dependency." That does not mean it is the version used by the final binary.

For example, your list shows these two different K8s clients:

k8s.io/client-go@v0.20.1 github.com/gogo/protobuf@v1.3.1
k8s.io/client-go@v0.20.4 github.com/gogo/protobuf@v1.3.1

However, our go.mod specifies the following version, which will be included in the final binary:

k8s.io/client-go v0.22.2

To see what versions come with a binary you can run: go version -m telegraf against the binary that is built. Here I am using a binary built from master:

$ ./telegraf --version
Telegraf 1.22.0-b5de6d6f (git: master b5de6d6f)
$ go version -m telegraf | grep github.com/gogo/protobuf
	dep	github.com/gogo/protobuf	v1.3.2	h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=

Does this resolve your concern?

[powersj]

Woops, did not mean to close this, till you have had a chance to respond.

[powersj]

Been nearly a week, so I am going to resolve this.

[Emeka-MSFT]

Thanks for the explanation, that works.

Side Note: one or more indirect reference still depends on the vulnerable version.

[powersj]

Side Note: one or more indirect reference still depends on the vulnerable version.

If you have a full list I'd be curious to see it. Might be an opportunity to work with upstream on updates. I've seen you do a few updates to a couple projects already.

[Emeka-MSFT]

Do I Have A List?

Yes; with regards to Telegraf, I was going by the list I pasted earlier.
(Please see my first comment)

Upstream Dependencies (My Observations):

1. I discovered that each referenced repo has their own set of upstream dependencies; and I think that each of them will need to be analyzed and potentially fixed.
2. I also noticed that some upstream dependencies already made this change -- i.e. removed references the vulnerable version. Downstream dependencies just need to update their go.mod files to reference the updated version of these upstream-modules (I think including Telegraf in some cases).

Types Of Fixes (My Thoughts):

1. Update the version of the gogo/protobuf dependency in the go.mod file of each upstream repo.
2. Ensure that each upstream repo ran go mod tidy.
   (The go.sum file in some upstream repo is out of date -- i.e. not maintained properly; risky dependency).
3. For repos with no go.mod|go.sum, add them.

When successfully completed, their go.sum will have no reference to the vulnerable version(s).
Likewise, Telegraf go.sum will (then) have no reference to the vulnerable version(s) of gogo/protobuf.

Golang Feature Gaps (My Thoughts):

Ideally, golang-toolset will need to solve this problem -- i.e. e.g. by providing a simpler way to:

1. quickly identify bad/unwanted dependency and their chain of inclusion.
   IMO, go mod tidy is not sufficient/simple for this task.
2. Add support for blocking version(s) of dependencies, especially those deemed as "vulnerable|banned|bad".
3. Add support to fail the build if/when such (banned) dependency is detected in go.mod|go.sum.

Thinking Out Loud/Conclusion

If, why, how, when, what, where,...to get all these done? Well, I don't know 😅 I just think that getting rid of the references from Telegraf's go.sum is important; and Telegraf should be responsible for each/every dependency it references. (This, to me, is the risk of picking/adding dependencies to projects -- i.e. we get to "babysit" all our dependencies...).