cerc-io/laconicd
18
0
Fork 1
Code Issues 21 Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Update dependencies for vulnerabilities (make vulncheck) #115

New Issue
Open
opened 2023-11-21 03:46:17 +00:00 by telackey · 0 comments
telackey commented 2023-11-21 03:46:17 +00:00
Member
Copy Link

We need to update these dependencies, but since many of these are dependencies of cosmos-sdk, it isn't necessarily simple to do, and will definitely require a lot of testing.

Until we can update these, we will disable the check in CI (https://git.vdb.to/cerc-io/laconicd/blob/main/.github/workflows/dependencies.yml).

Makefile:75: RocksDB support is disabled; to build and test with RocksDB support, set ENABLE_ROCKSDB=true
fatal: No names found, cannot describe anything.
mkdir -p /home/runner/work/laconicd/laconicd/build/
GOBIN=/home/runner/work/laconicd/laconicd/build go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v1.0.1
go: downloading golang.org/x/mod v0.12.0
go: downloading golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846
go: downloading golang.org/x/sync v0.3.0
go: downloading golang.org/x/sys v0.11.0
/home/runner/work/laconicd/laconicd/build/govulncheck ./...
Scanning your code and 1172 packages across 171 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2185
    Insecure parsing of Windows paths with a \??\ prefix in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2185
  Standard library
    Found in: path/filepath@go1.19.13
    Fixed in: path/filepath@go1.21.4
    Platforms: windows
    Example traces found:
Error:       #1: rpc/backend/mocks/client.go:807:18: mocks.Client.Validators calls mock.Mock.Called, which eventually calls filepath.Abs
Error:       #2: gql/status.go:94:26: gql.GetDiskUsage calls exec.Command, which calls filepath.Base
Error:       #3: rpc/namespaces/ethereum/debug/utils.go:36:23: debug.ExpandHome calls filepath.Clean
Error:       #4: testutil/network/network.go:367:62: network.New calls genutil.InitializeNodeValidatorFiles, which eventually calls filepath.Dir
Error:       #5: cmd/laconicd/main.go:20:26: laconicd.main calls cmd.Execute, which eventually calls filepath.EvalSymlinks
Error:       #6: testutil/network/network.go:627:15: network.Network.Cleanup calls grpc.Server.Stop, which eventually calls filepath.Glob
Error:       #7: server/start.go:625:26: server.OpenIndexerDB calls filepath.Join
Error:       #8: rpc/namespaces/ethereum/eth/api.go:480:16: eth.PublicAPI.GetPendingTransactions calls server.ZeroLogWrapper.Debug, which eventually calls filepath.Rel
Error:       #9: testutil/network/util.go:170:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls filepath.Split
Error:       #10: gql/status.go:94:55: gql.GetDiskUsage calls exec.Cmd.Output, which eventually calls filepath.VolumeName
Error:       #11: cmd/laconicd/main.go:20:26: laconicd.main calls cmd.Execute, which eventually calls filepath.Walk

Vulnerability #2: GO-2023-2153
    Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc
  More info: https://pkg.go.dev/vuln/GO-2023-2153
  Module: google.golang.org/grpc
    Found in: google.golang.org/grpc@v1.51.0
    Fixed in: google.golang.org/grpc@v1.58.3
    Example traces found:
Error:       #1: testutil/network/util.go:111:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls transport.NewServerTransport
Error:       #2: testutil/network/util.go:111:45: network.startInProcess calls grpc.StartGRPCServer, which calls grpc.NewServer
Error:       #3: testutil/network/util.go:111:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls grpc.Server.Serve

Vulnerability #3: GO-2023-2102
    HTTP/2 rapid reset can cause excessive work in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2102
  Standard library
    Found in: net/http@go1.19.13
    Fixed in: net/http@go1.21.3
    Example traces found:
Error:       #1: gql/server.go:52:28: gql.Server calls http.ListenAndServe
Error:       #2: rpc/websockets.go:101:32: rpc.Start calls http.ListenAndServeTLS
Error:       #3: testutil/network/util.go:119:46: network.startInProcess calls grpc.StartGRPCWeb, which eventually calls http.Server.ListenAndServe
Error:       #4: server/json_rpc.go:88:26: server.StartJSONRPC calls http.Server.Serve
Error:       #5: testutil/network/util.go:67:24: network.startInProcess calls service.BaseService.Start, which eventually calls http.Server.ServeTLS

Vulnerability #4: GO-2023-2043
    Improper handling of special tags within script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2043
  Standard library
    Found in: html/template@go1.19.13
    Fixed in: html/template@go1.21.1
    Example traces found:
Error:       #1: gql/graphiql.go:20:22: gql.PlaygroundHandler calls template.Template.Execute
Error:       #2: server/json_rpc.go:88:26: server.StartJSONRPC calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate

Vulnerability #5: GO-2023-2041
    Improper handling of HTML-like comments in script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2041
  Standard library
    Found in: html/template@go1.19.13
    Fixed in: html/template@go1.21.1
    Example traces found:
Error:       #1: gql/graphiql.go:20:22: gql.PlaygroundHandler calls template.Template.Execute
Error:       #2: server/json_rpc.go:88:26: server.StartJSONRPC calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate

Vulnerability #6: GO-2023-1881
    The x/crisis package does not charge ConstantFee in
    github.com/cosmos/cosmos-sdk
  More info: https://pkg.go.dev/vuln/GO-2023-1881
  Module: github.com/cosmos/cosmos-sdk
    Found in: github.com/cosmos/cosmos-sdk@v0.46.7
    Fixed in: N/A
    Example traces found:
Error:       #1: cmd/laconicd/root.go:143:27: laconicd.addModuleInitFlags calls crisis.AddModuleInitFlags
Error:       #2: app/app.go:757:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.ConsensusVersion
Error:       #3: testutil/network/network.go:123:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.DefaultGenesis
Error:       #4: app/app.go:748:24: app.EthermintApp.EndBlocker calls module.Manager.EndBlock, which calls crisis.AppModule.EndBlock
Error:       #5: app/export.go:44:34: app.EthermintApp.ExportAppStateAndValidators calls module.Manager.ExportGenesis, which calls crisis.AppModule.ExportGenesis
Error:       #6: cmd/laconicd/root.go:164:35: laconicd.queryCommand calls module.BasicManager.AddQueryCommands, which calls crisis.AppModuleBasic.GetQueryCmd
Error:       #7: cmd/laconicd/root.go:191:32: laconicd.txCommand calls module.BasicManager.AddTxCommands, which calls crisis.AppModuleBasic.GetTxCmd
Error:       #8: app/app.go:758:27: app.EthermintApp.InitChainer calls module.Manager.InitGenesis, which calls crisis.AppModule.InitGenesis
Error:       #9: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.LegacyQuerierHandler
Error:       #10: app/app.go:757:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.Name
Error:       #11: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.QuerierRoute
Error:       #12: app/app.go:851:40: app.EthermintApp.RegisterAPIRoutes calls module.BasicManager.RegisterGRPCGatewayRoutes, which calls crisis.AppModuleBasic.RegisterGRPCGatewayRoutes
Error:       #13: encoding/config.go:29:23: encoding.MakeConfig calls module.BasicManager.RegisterInterfaces, which calls crisis.AppModuleBasic.RegisterInterfaces
Error:       #14: app/app.go:656:27: app.NewEthermintApp calls module.Manager.RegisterInvariants, which calls crisis.AppModule.RegisterInvariants
Error:       #15: encoding/config.go:27:29: encoding.MakeConfig calls module.BasicManager.RegisterLegacyAminoCodec, which calls crisis.AppModuleBasic.RegisterLegacyAminoCodec
Error:       #16: app/app.go:659:25: app.NewEthermintApp calls module.Manager.RegisterServices, which calls crisis.AppModule.RegisterServices
Error:       #17: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.Route
Error:       #18: cmd/laconicd/main.go:20:26: laconicd.main calls cmd.Execute, which eventually calls crisis.AppModuleBasic.ValidateGenesis
Error:       #19: testutil/network/network.go:123:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.Name
Error:       #20: app/app.go:528:22: app.NewEthermintApp calls crisis.NewAppModule

Vulnerability #7: GO-2023-1861
    Cosmos "Barberry" vulnerability in github.com/cosmos/cosmos-sdk
  More info: https://pkg.go.dev/vuln/GO-2023-1861
  Module: github.com/cosmos/cosmos-sdk
    Found in: github.com/cosmos/cosmos-sdk@v0.46.7
    Fixed in: github.com/cosmos/cosmos-sdk@v0.47.3
    Example traces found:
Error:       #1: x/evm/simulation/operations.go:196:33: simulation.SimulateEthTx calls baseapp.BaseApp.SimDeliver, which eventually calls types.MsgCreatePeriodicVestingAccount.ValidateBasic

Vulnerability #8: GO-2023-1860
    IBC protocol "Huckleberry" vulnerability in github.com/cosmos/ibc-go
  More info: https://pkg.go.dev/vuln/GO-2023-1860
  Module: github.com/cosmos/ibc-go/v5
    Found in: github.com/cosmos/ibc-go/v5@v5.2.0
    Fixed in: github.com/cosmos/ibc-go/v5@v5.3.1
    Example traces found:
Error:       #1: x/registry/types/tx.pb.go:1330:19: types.RegisterMsgServer calls baseapp.MsgServiceRouter.RegisterService, which eventually calls keeper.Keeper.UnreceivedPackets
Error:       #2: app/ante/eth.go:375:13: ante.EthIncrementSenderSequenceDecorator.AnteHandle calls types.ChainAnteDecorators, which eventually calls keeper.Keeper.RecvPacket

Vulnerability #9: GO-2023-1821
    The x/crisis package does not cause chain halt in
    github.com/cosmos/cosmos-sdk
  More info: https://pkg.go.dev/vuln/GO-2023-1821
  Module: github.com/cosmos/cosmos-sdk
    Found in: github.com/cosmos/cosmos-sdk@v0.46.7
    Fixed in: N/A
    Example traces found:
Error:       #1: cmd/laconicd/root.go:143:27: laconicd.addModuleInitFlags calls crisis.AddModuleInitFlags
Error:       #2: app/app.go:757:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.ConsensusVersion
Error:       #3: testutil/network/network.go:123:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.DefaultGenesis
Error:       #4: app/app.go:748:24: app.EthermintApp.EndBlocker calls module.Manager.EndBlock, which calls crisis.AppModule.EndBlock
Error:       #5: app/export.go:44:34: app.EthermintApp.ExportAppStateAndValidators calls module.Manager.ExportGenesis, which calls crisis.AppModule.ExportGenesis
Error:       #6: cmd/laconicd/root.go:164:35: laconicd.queryCommand calls module.BasicManager.AddQueryCommands, which calls crisis.AppModuleBasic.GetQueryCmd
Error:       #7: cmd/laconicd/root.go:191:32: laconicd.txCommand calls module.BasicManager.AddTxCommands, which calls crisis.AppModuleBasic.GetTxCmd
Error:       #8: app/app.go:758:27: app.EthermintApp.InitChainer calls module.Manager.InitGenesis, which calls crisis.AppModule.InitGenesis
Error:       #9: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.LegacyQuerierHandler
Error:       #10: app/app.go:757:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.Name
Error:       #11: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.QuerierRoute
Error:       #12: app/app.go:851:40: app.EthermintApp.RegisterAPIRoutes calls module.BasicManager.RegisterGRPCGatewayRoutes, which calls crisis.AppModuleBasic.RegisterGRPCGatewayRoutes
Error:       #13: encoding/config.go:29:23: encoding.MakeConfig calls module.BasicManager.RegisterInterfaces, which calls crisis.AppModuleBasic.RegisterInterfaces
Error:       #14: app/app.go:656:27: app.NewEthermintApp calls module.Manager.RegisterInvariants, which calls crisis.AppModule.RegisterInvariants
Error:       #15: encoding/config.go:27:29: encoding.MakeConfig calls module.BasicManager.RegisterLegacyAminoCodec, which calls crisis.AppModuleBasic.RegisterLegacyAminoCodec
Error:       #16: app/app.go:659:25: app.NewEthermintApp calls module.Manager.RegisterServices, which calls crisis.AppModule.RegisterServices
Error:       #17: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.Route
Error:       #18: cmd/laconicd/main.go:20:26: laconicd.main calls cmd.Execute, which eventually calls crisis.AppModuleBasic.ValidateGenesis
Error:       #19: testutil/network/network.go:123:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.Name
Error:       #20: app/app.go:528:22: app.NewEthermintApp calls crisis.NewAppModule

=== Informational ===

Found 2 vulnerabilities in packages that you import, but there are no call
stacks leading to the use of these vulnerabilities. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-2186
    Incorrect detection of reserved device names on Windows in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2186
  Standard library
    Found in: path/filepath@go1.19.13
    Fixed in: path/filepath@go1.21.4

Vulnerability #2: GO-2022-1098
    Denial of service in message decoding in github.com/btcsuite/btcd
  More info: https://pkg.go.dev/vuln/GO-2022-1098
  Module: github.com/btcsuite/btcd
    Found in: github.com/btcsuite/btcd@v0.22.1
    Fixed in: github.com/btcsuite/btcd@v0.23.2

Your code is affected by 9 vulnerabilities from 3 modules and the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback.
make: *** [Makefile:286: vulncheck] Error 3
Error: Process completed with exit code 2.
We need to update these dependencies, but since many of these are dependencies of cosmos-sdk, it isn't necessarily simple to do, and will definitely require a lot of testing. Until we can update these, we will disable the check in CI (https://git.vdb.to/cerc-io/laconicd/blob/main/.github/workflows/dependencies.yml). ``` Makefile:75: RocksDB support is disabled; to build and test with RocksDB support, set ENABLE_ROCKSDB=true fatal: No names found, cannot describe anything. mkdir -p /home/runner/work/laconicd/laconicd/build/ GOBIN=/home/runner/work/laconicd/laconicd/build go install golang.org/x/vuln/cmd/govulncheck@latest go: downloading golang.org/x/vuln v1.0.1 go: downloading golang.org/x/mod v0.12.0 go: downloading golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 go: downloading golang.org/x/sync v0.3.0 go: downloading golang.org/x/sys v0.11.0 /home/runner/work/laconicd/laconicd/build/govulncheck ./... Scanning your code and 1172 packages across 171 dependent modules for known vulnerabilities... Vulnerability #1: GO-2023-2185 Insecure parsing of Windows paths with a \??\ prefix in path/filepath More info: https://pkg.go.dev/vuln/GO-2023-2185 Standard library Found in: path/filepath@go1.19.13 Fixed in: path/filepath@go1.21.4 Platforms: windows Example traces found: Error: #1: rpc/backend/mocks/client.go:807:18: mocks.Client.Validators calls mock.Mock.Called, which eventually calls filepath.Abs Error: #2: gql/status.go:94:26: gql.GetDiskUsage calls exec.Command, which calls filepath.Base Error: #3: rpc/namespaces/ethereum/debug/utils.go:36:23: debug.ExpandHome calls filepath.Clean Error: #4: testutil/network/network.go:367:62: network.New calls genutil.InitializeNodeValidatorFiles, which eventually calls filepath.Dir Error: #5: cmd/laconicd/main.go:20:26: laconicd.main calls cmd.Execute, which eventually calls filepath.EvalSymlinks Error: #6: testutil/network/network.go:627:15: network.Network.Cleanup calls grpc.Server.Stop, which eventually calls filepath.Glob Error: #7: server/start.go:625:26: server.OpenIndexerDB calls filepath.Join Error: #8: rpc/namespaces/ethereum/eth/api.go:480:16: eth.PublicAPI.GetPendingTransactions calls server.ZeroLogWrapper.Debug, which eventually calls filepath.Rel Error: #9: testutil/network/util.go:170:49: network.collectGenFiles calls genutil.GenAppStateFromConfig, which eventually calls filepath.Split Error: #10: gql/status.go:94:55: gql.GetDiskUsage calls exec.Cmd.Output, which eventually calls filepath.VolumeName Error: #11: cmd/laconicd/main.go:20:26: laconicd.main calls cmd.Execute, which eventually calls filepath.Walk Vulnerability #2: GO-2023-2153 Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc More info: https://pkg.go.dev/vuln/GO-2023-2153 Module: google.golang.org/grpc Found in: google.golang.org/grpc@v1.51.0 Fixed in: google.golang.org/grpc@v1.58.3 Example traces found: Error: #1: testutil/network/util.go:111:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls transport.NewServerTransport Error: #2: testutil/network/util.go:111:45: network.startInProcess calls grpc.StartGRPCServer, which calls grpc.NewServer Error: #3: testutil/network/util.go:111:45: network.startInProcess calls grpc.StartGRPCServer, which eventually calls grpc.Server.Serve Vulnerability #3: GO-2023-2102 HTTP/2 rapid reset can cause excessive work in net/http More info: https://pkg.go.dev/vuln/GO-2023-2102 Standard library Found in: net/http@go1.19.13 Fixed in: net/http@go1.21.3 Example traces found: Error: #1: gql/server.go:52:28: gql.Server calls http.ListenAndServe Error: #2: rpc/websockets.go:101:32: rpc.Start calls http.ListenAndServeTLS Error: #3: testutil/network/util.go:119:46: network.startInProcess calls grpc.StartGRPCWeb, which eventually calls http.Server.ListenAndServe Error: #4: server/json_rpc.go:88:26: server.StartJSONRPC calls http.Server.Serve Error: #5: testutil/network/util.go:67:24: network.startInProcess calls service.BaseService.Start, which eventually calls http.Server.ServeTLS Vulnerability #4: GO-2023-2043 Improper handling of special tags within script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2043 Standard library Found in: html/template@go1.19.13 Fixed in: html/template@go1.21.1 Example traces found: Error: #1: gql/graphiql.go:20:22: gql.PlaygroundHandler calls template.Template.Execute Error: #2: server/json_rpc.go:88:26: server.StartJSONRPC calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate Vulnerability #5: GO-2023-2041 Improper handling of HTML-like comments in script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2041 Standard library Found in: html/template@go1.19.13 Fixed in: html/template@go1.21.1 Example traces found: Error: #1: gql/graphiql.go:20:22: gql.PlaygroundHandler calls template.Template.Execute Error: #2: server/json_rpc.go:88:26: server.StartJSONRPC calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate Vulnerability #6: GO-2023-1881 The x/crisis package does not charge ConstantFee in github.com/cosmos/cosmos-sdk More info: https://pkg.go.dev/vuln/GO-2023-1881 Module: github.com/cosmos/cosmos-sdk Found in: github.com/cosmos/cosmos-sdk@v0.46.7 Fixed in: N/A Example traces found: Error: #1: cmd/laconicd/root.go:143:27: laconicd.addModuleInitFlags calls crisis.AddModuleInitFlags Error: #2: app/app.go:757:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.ConsensusVersion Error: #3: testutil/network/network.go:123:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.DefaultGenesis Error: #4: app/app.go:748:24: app.EthermintApp.EndBlocker calls module.Manager.EndBlock, which calls crisis.AppModule.EndBlock Error: #5: app/export.go:44:34: app.EthermintApp.ExportAppStateAndValidators calls module.Manager.ExportGenesis, which calls crisis.AppModule.ExportGenesis Error: #6: cmd/laconicd/root.go:164:35: laconicd.queryCommand calls module.BasicManager.AddQueryCommands, which calls crisis.AppModuleBasic.GetQueryCmd Error: #7: cmd/laconicd/root.go:191:32: laconicd.txCommand calls module.BasicManager.AddTxCommands, which calls crisis.AppModuleBasic.GetTxCmd Error: #8: app/app.go:758:27: app.EthermintApp.InitChainer calls module.Manager.InitGenesis, which calls crisis.AppModule.InitGenesis Error: #9: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.LegacyQuerierHandler Error: #10: app/app.go:757:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.Name Error: #11: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.QuerierRoute Error: #12: app/app.go:851:40: app.EthermintApp.RegisterAPIRoutes calls module.BasicManager.RegisterGRPCGatewayRoutes, which calls crisis.AppModuleBasic.RegisterGRPCGatewayRoutes Error: #13: encoding/config.go:29:23: encoding.MakeConfig calls module.BasicManager.RegisterInterfaces, which calls crisis.AppModuleBasic.RegisterInterfaces Error: #14: app/app.go:656:27: app.NewEthermintApp calls module.Manager.RegisterInvariants, which calls crisis.AppModule.RegisterInvariants Error: #15: encoding/config.go:27:29: encoding.MakeConfig calls module.BasicManager.RegisterLegacyAminoCodec, which calls crisis.AppModuleBasic.RegisterLegacyAminoCodec Error: #16: app/app.go:659:25: app.NewEthermintApp calls module.Manager.RegisterServices, which calls crisis.AppModule.RegisterServices Error: #17: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.Route Error: #18: cmd/laconicd/main.go:20:26: laconicd.main calls cmd.Execute, which eventually calls crisis.AppModuleBasic.ValidateGenesis Error: #19: testutil/network/network.go:123:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.Name Error: #20: app/app.go:528:22: app.NewEthermintApp calls crisis.NewAppModule Vulnerability #7: GO-2023-1861 Cosmos "Barberry" vulnerability in github.com/cosmos/cosmos-sdk More info: https://pkg.go.dev/vuln/GO-2023-1861 Module: github.com/cosmos/cosmos-sdk Found in: github.com/cosmos/cosmos-sdk@v0.46.7 Fixed in: github.com/cosmos/cosmos-sdk@v0.47.3 Example traces found: Error: #1: x/evm/simulation/operations.go:196:33: simulation.SimulateEthTx calls baseapp.BaseApp.SimDeliver, which eventually calls types.MsgCreatePeriodicVestingAccount.ValidateBasic Vulnerability #8: GO-2023-1860 IBC protocol "Huckleberry" vulnerability in github.com/cosmos/ibc-go More info: https://pkg.go.dev/vuln/GO-2023-1860 Module: github.com/cosmos/ibc-go/v5 Found in: github.com/cosmos/ibc-go/v5@v5.2.0 Fixed in: github.com/cosmos/ibc-go/v5@v5.3.1 Example traces found: Error: #1: x/registry/types/tx.pb.go:1330:19: types.RegisterMsgServer calls baseapp.MsgServiceRouter.RegisterService, which eventually calls keeper.Keeper.UnreceivedPackets Error: #2: app/ante/eth.go:375:13: ante.EthIncrementSenderSequenceDecorator.AnteHandle calls types.ChainAnteDecorators, which eventually calls keeper.Keeper.RecvPacket Vulnerability #9: GO-2023-1821 The x/crisis package does not cause chain halt in github.com/cosmos/cosmos-sdk More info: https://pkg.go.dev/vuln/GO-2023-1821 Module: github.com/cosmos/cosmos-sdk Found in: github.com/cosmos/cosmos-sdk@v0.46.7 Fixed in: N/A Example traces found: Error: #1: cmd/laconicd/root.go:143:27: laconicd.addModuleInitFlags calls crisis.AddModuleInitFlags Error: #2: app/app.go:757:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.ConsensusVersion Error: #3: testutil/network/network.go:123:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.DefaultGenesis Error: #4: app/app.go:748:24: app.EthermintApp.EndBlocker calls module.Manager.EndBlock, which calls crisis.AppModule.EndBlock Error: #5: app/export.go:44:34: app.EthermintApp.ExportAppStateAndValidators calls module.Manager.ExportGenesis, which calls crisis.AppModule.ExportGenesis Error: #6: cmd/laconicd/root.go:164:35: laconicd.queryCommand calls module.BasicManager.AddQueryCommands, which calls crisis.AppModuleBasic.GetQueryCmd Error: #7: cmd/laconicd/root.go:191:32: laconicd.txCommand calls module.BasicManager.AddTxCommands, which calls crisis.AppModuleBasic.GetTxCmd Error: #8: app/app.go:758:27: app.EthermintApp.InitChainer calls module.Manager.InitGenesis, which calls crisis.AppModule.InitGenesis Error: #9: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.LegacyQuerierHandler Error: #10: app/app.go:757:65: app.EthermintApp.InitChainer calls module.Manager.GetVersionMap, which calls crisis.AppModule.Name Error: #11: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.QuerierRoute Error: #12: app/app.go:851:40: app.EthermintApp.RegisterAPIRoutes calls module.BasicManager.RegisterGRPCGatewayRoutes, which calls crisis.AppModuleBasic.RegisterGRPCGatewayRoutes Error: #13: encoding/config.go:29:23: encoding.MakeConfig calls module.BasicManager.RegisterInterfaces, which calls crisis.AppModuleBasic.RegisterInterfaces Error: #14: app/app.go:656:27: app.NewEthermintApp calls module.Manager.RegisterInvariants, which calls crisis.AppModule.RegisterInvariants Error: #15: encoding/config.go:27:29: encoding.MakeConfig calls module.BasicManager.RegisterLegacyAminoCodec, which calls crisis.AppModuleBasic.RegisterLegacyAminoCodec Error: #16: app/app.go:659:25: app.NewEthermintApp calls module.Manager.RegisterServices, which calls crisis.AppModule.RegisterServices Error: #17: app/app.go:657:23: app.NewEthermintApp calls module.Manager.RegisterRoutes, which calls crisis.AppModule.Route Error: #18: cmd/laconicd/main.go:20:26: laconicd.main calls cmd.Execute, which eventually calls crisis.AppModuleBasic.ValidateGenesis Error: #19: testutil/network/network.go:123:53: network.DefaultConfig calls module.BasicManager.DefaultGenesis, which calls crisis.AppModuleBasic.Name Error: #20: app/app.go:528:22: app.NewEthermintApp calls crisis.NewAppModule === Informational === Found 2 vulnerabilities in packages that you import, but there are no call stacks leading to the use of these vulnerabilities. You may not need to take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details. Vulnerability #1: GO-2023-2186 Incorrect detection of reserved device names on Windows in path/filepath More info: https://pkg.go.dev/vuln/GO-2023-2186 Standard library Found in: path/filepath@go1.19.13 Fixed in: path/filepath@go1.21.4 Vulnerability #2: GO-2022-1098 Denial of service in message decoding in github.com/btcsuite/btcd More info: https://pkg.go.dev/vuln/GO-2022-1098 Module: github.com/btcsuite/btcd Found in: github.com/btcsuite/btcd@v0.22.1 Fixed in: github.com/btcsuite/btcd@v0.23.2 Your code is affected by 9 vulnerabilities from 3 modules and the Go standard library. Share feedback at https://go.dev/s/govulncheck-feedback. make: *** [Makefile:286: vulncheck] Error 3 Error: Process completed with exit code 2. ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bug

Something isn't working

  
C:CLI

   
C:Crypto

   
C:Encoding

   
C:Proto

   
C:Types

   
dependencies

Pull requests that update a dependency file

  
docker

Pull requests that update Docker code

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
go

Pull requests that update Go code

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
high priority

   
in progress

currently working on

  
invalid

This doesn't seem right

  
javascript

Pull requests that update Javascript code

  
low priority

   
medium priority

   
question

Further information is requested

  
Status: Stale

   
Type: ADR

   
Type: Build

   
Type: CI

   
Type: Docs

   
Type: Tests

   
urgent

Top priority issue

  
wontfix

This will not be worked on

  
Copied from Github

An issue or PR manually copied from GitHub.

  
Kind/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Feature

New functionality

  
Kind/Security

This is security issue

  
Kind/Testing

Issue or pull request related to testing

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

No Label
bug
C:CLI
C:Crypto
C:Encoding
C:Proto
C:Types
dependencies
docker
documentation
duplicate
enhancement
go
good first issue
help wanted
high priority
in progress
invalid
javascript
low priority
medium priority
question
Status: Stale
Type: ADR
Type: Build
Type: CI
Type: Docs
Type: Tests
urgent
wontfix
Copied from Github
Kind/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cerc-io/laconicd#115
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?