Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nancy: ignore go-retryablehttp@v0.7.4 #2559

Merged
merged 1 commit into from
Jul 2, 2024
Merged

nancy: ignore go-retryablehttp@v0.7.4 #2559

merged 1 commit into from
Jul 2, 2024

Conversation

zzzckck
Copy link
Collaborator

@zzzckck zzzckck commented Jul 2, 2024

Description

Detected Nancy failure:


pkg:golang/github.com/hashicorp/go-retryablehttp@v0.7.4
1 known vulnerabilities affecting installed version 
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2024-6104] CWE-532: Information Exposure Through Log Files                                                                                                                                                                 ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to                                                                                                                                 ┃
┃                    ┃ its log file. This could lead to go-retryablehttp writing sensitive HTTP                                                                                                                                   ┃
┃                    ┃ basic auth credentials to its log file. This vulnerability, CVE-2024-6104,                                                                                                                                 ┃
┃                    ┃ was fixed in go-retryablehttp 0.7.7.                                                                                                                                                                       ┃
��━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫

go-retryablehttp is imported indirectly by cloudflare-go, which is only used for cmd/devp2p, the vulnerability is limited. Update the go-retryablehttp to v0.7.7 will upgrade many other dependencies, so we can delay this upgrade right now.

go mod why -m github.com/hashicorp/go-retryablehttp
# github.com/hashicorp/go-retryablehttp
github.com/ethereum/go-ethereum/cmd/devp2p
github.com/cloudflare/cloudflare-go
github.com/hashicorp/go-retryablehttp

Rationale

NA

Example

NA

@zzzckck zzzckck changed the title nancy: ignore go-retryablehttp@v0.7.4 in .nancy-ignore nancy: ignore go-retryablehttp@v0.7.4 Jul 2, 2024
@zzzckck zzzckck merged commit 51e27f9 into bnb-chain:develop Jul 2, 2024
7 checks passed
This was referenced Jul 17, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zlacfzy zlacfzy zlacfzy approved these changes

@buddh0 buddh0 buddh0 approved these changes

@MatusKysel MatusKysel MatusKysel approved these changes

@galaio galaio Awaiting requested review from galaio

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zzzckck @MatusKysel @buddh0 @zlacfzy