How to check if an image or app is vulnerable to go-lang CVE
Environment
- Any go-lang application binary
- A CVE in a go-lang application with a known version of Go where the CVE has been fixed
Issue
- How to check if a go-lang application, component or an image is vulnerable against a go-lang CVE
- How to check if CVE fixed in a known version of go-lang is affected in a compiled application binary
Resolution
To check if an application is vulnerable against a go-lang vulnerability, that was fixed in a defined version of go-lang, check which version was used to build the application with go version -m /path/to/the/application. In the first line is printed go-lang version used to generate the binary and compile the source code:
$ go version -m oc-4.15.0
oc-4.15.0: go1.20.12 X:strictfipsruntime
path github.com/openshift/oc/cmd/oc
mod github.com/openshift/oc (devel)
dep github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e
dep github.com/BurntSushi/toml v1.3.2
dep github.com/MakeNowJust/heredoc v1.0.0
dep github.com/RangelReale/osincli v0.0.0-20160924135400-fababb0555f2
dep github.com/alessio/shellescape v1.4.1
dep github.com/alicebob/sqlittle v1.4.0
dep github.com/apcera/gssapi v0.0.0-00010101000000-000000000000
=> github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b
dep github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
dep github.com/aws/aws-sdk-go v1.45.20
dep github.com/beorn7/perks v1.0.1
dep github.com/blang/semver v3.5.1+incompatible
dep github.com/blang/semver/v4 v4.0.0
dep github.com/cespare/xxhash/v2 v2.2.0
dep github.com/chai2010/gettext-go v1.0.2
dep github.com/containerd/containerd v1.7.0
dep github.com/containers/image/v5 v5.29.0
dep github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01
dep github.com/containers/ocicrypt v1.1.9
dep github.com/containers/storage v1.51.0
dep github.com/coreos/go-oidc/v3 v3.9.0
dep github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46
dep github.com/davecgh/go-spew v1.1.1
dep github.com/daviddengcn/go-colortext v1.0.0
dep github.com/distribution/distribution/v3 v3.0.0-20230519140516-983358f8e250
dep github.com/distribution/reference v0.5.0
dep github.com/docker/distribution v2.8.3+incompatible
dep github.com/docker/docker v24.0.7+incompatible
dep github.com/docker/docker-credential-helpers v0.8.0
dep github.com/docker/go-connections v0.4.0
dep github.com/docker/go-metrics v0.0.1
dep github.com/docker/go-units v0.5.0
dep github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7
dep github.com/emicklei/go-restful/v3 v3.10.1
dep github.com/evanphx/json-patch v4.12.0+incompatible
dep github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d
dep github.com/fatih/camelcase v1.0.0
dep github.com/fsnotify/fsnotify v1.6.0
dep github.com/fsouza/go-dockerclient v1.10.0
dep github.com/fvbommel/sortorder v1.1.0
dep github.com/ghodss/yaml v1.0.0
dep github.com/go-asn1-ber/asn1-ber v1.5.4
dep github.com/go-errors/errors v1.4.2
dep github.com/go-git/gcfg v1.5.0
dep github.com/go-git/go-billy/v5 v5.1.0
dep github.com/go-git/go-git/v5 v5.3.0
dep github.com/go-jose/go-jose/v3 v3.0.1
dep github.com/go-ldap/ldap/v3 v3.4.3
dep github.com/go-logr/logr v1.3.0
dep github.com/go-openapi/analysis v0.21.4
dep github.com/go-openapi/errors v0.20.4
dep github.com/go-openapi/jsonpointer v0.19.6
dep github.com/go-openapi/jsonreference v0.20.2
dep github.com/go-openapi/loads v0.21.2
dep github.com/go-openapi/runtime v0.26.0
dep github.com/go-openapi/spec v0.20.9
dep github.com/go-openapi/strfmt v0.21.7
dep github.com/go-openapi/swag v0.22.4
dep github.com/go-openapi/validate v0.22.1
dep github.com/gogo/protobuf v1.3.2
dep github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
dep github.com/golang/protobuf v1.5.3
dep github.com/gonum/blas v0.0.0-20181208220705-f22b278b28ac
dep github.com/gonum/floats v0.0.0-20181209220543-c233463c7e82
dep github.com/gonum/graph v0.0.0-20170401004347-50b27dea7ebb
dep github.com/gonum/internal v0.0.0-20181124074243-f884aa714029
dep github.com/gonum/lapack v0.0.0-20181123203213-e4cdc5a0bff9
dep github.com/gonum/matrix v0.0.0-20181209220409-c518dec07be9
dep github.com/google/btree v1.0.1
dep github.com/google/gnostic-models v0.6.8
dep github.com/google/go-cmp v0.6.0
dep github.com/google/go-containerregistry v0.16.1
dep github.com/google/gofuzz v1.2.0
dep github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
dep github.com/google/uuid v1.3.1
dep github.com/gorilla/mux v1.8.0
dep github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
dep github.com/hashicorp/errwrap v1.1.0
dep github.com/hashicorp/go-multierror v1.1.1
dep github.com/hashicorp/golang-lru v1.0.2
dep github.com/imdario/mergo v0.3.13
dep github.com/int128/listener v1.1.0
dep github.com/int128/oauth2cli v1.14.0
dep github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99
dep github.com/jmespath/go-jmespath v0.4.0
dep github.com/joelanford/ignore v0.0.0-20210610194209-63d4919d8fb2
dep github.com/jonboulle/clockwork v0.2.2
dep github.com/josharian/intern v1.0.0
dep github.com/json-iterator/go v1.1.12
dep github.com/klauspost/compress v1.17.3
dep github.com/klauspost/pgzip v1.2.6
dep github.com/letsencrypt/boulder v0.0.0-20230213213521-fdfea0d469b6
dep github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
dep github.com/lithammer/dedent v1.1.0
dep github.com/mailru/easyjson v0.7.7
dep github.com/matttproud/golang_protobuf_extensions v1.0.4
dep github.com/mitchellh/go-wordwrap v1.0.1
dep github.com/mitchellh/mapstructure v1.5.0
dep github.com/moby/buildkit v0.0.0-20181107081847-c3a857e3fca0
dep github.com/moby/patternmatcher v0.6.0
dep github.com/moby/spdystream v0.2.0
dep github.com/moby/sys/mountinfo v0.7.1
dep github.com/moby/sys/sequential v0.5.0
dep github.com/moby/term v0.5.0
dep github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
dep github.com/modern-go/reflect2 v1.0.2
dep github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00
dep github.com/morikuni/aec v1.0.0
dep github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
dep github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
dep github.com/oklog/ulid v1.3.1
dep github.com/opencontainers/go-digest v1.0.0
dep github.com/opencontainers/image-spec v1.1.0-rc5
dep github.com/opencontainers/runc v1.1.10
dep github.com/opencontainers/runtime-spec v1.1.0
dep github.com/openshift/api v0.0.0-20231207204216-5efc6fca4b2d
dep github.com/openshift/client-go v0.0.0-20230926161409-848405da69e1
dep github.com/openshift/library-go v0.0.0-20231016155954-11c72a39f742
dep github.com/peterbourgon/diskv v2.0.1+incompatible
dep github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
dep github.com/pkg/errors v0.9.1
dep github.com/pkg/profile v1.3.0
dep github.com/prometheus/client_golang v1.17.0
dep github.com/prometheus/client_model v0.5.0
dep github.com/prometheus/common v0.44.0
dep github.com/prometheus/procfs v0.11.1
dep github.com/robfig/cron v1.2.0
dep github.com/russross/blackfriday/v2 v2.1.0
dep github.com/secure-systems-lab/go-securesystemslib v0.7.0
dep github.com/sigstore/fulcio v1.4.3
dep github.com/sigstore/rekor v1.2.2
dep github.com/sigstore/sigstore v1.7.5
dep github.com/sirupsen/logrus v1.9.3
dep github.com/spf13/cobra v1.7.0
dep github.com/spf13/pflag v1.0.5
dep github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
dep github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
dep github.com/ulikunitz/xz v0.5.11
dep github.com/vbatts/tar-split v0.11.5
dep github.com/vincent-petithory/dataurl v1.0.0
dep github.com/xlab/treeprint v1.2.0
dep go.mongodb.org/mongo-driver v1.11.3
dep go.starlark.net v0.0.0-20230525235612-a134d8f9ddca
dep golang.org/x/crypto v0.18.0
dep golang.org/x/exp v0.0.0-20231006140011-7918f672742d
dep golang.org/x/net v0.20.0
dep golang.org/x/oauth2 v0.16.0
dep golang.org/x/sync v0.5.0
dep golang.org/x/sys v0.16.0
dep golang.org/x/term v0.16.0
dep golang.org/x/text v0.14.0
dep golang.org/x/time v0.3.0
dep golang.org/x/tools v0.14.0
dep google.golang.org/protobuf v1.31.0
dep gopkg.in/go-jose/go-jose.v2 v2.6.1
dep gopkg.in/inf.v0 v0.9.1
dep gopkg.in/warnings.v0 v0.1.2
dep gopkg.in/yaml.v2 v2.4.0
dep gopkg.in/yaml.v3 v3.0.1
dep k8s.io/api v0.28.4
dep k8s.io/apiextensions-apiserver v0.28.2
dep k8s.io/apimachinery v0.28.4
dep k8s.io/apiserver v0.28.2
dep k8s.io/cli-runtime v0.28.2
dep k8s.io/client-go v0.28.2
dep k8s.io/component-base v0.28.2
dep k8s.io/component-helpers v0.28.2
dep k8s.io/klog/v2 v2.110.1
dep k8s.io/kube-aggregator v0.28.2
dep k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9
dep k8s.io/kubectl v0.28.2
dep k8s.io/metrics v0.28.2
dep k8s.io/pod-security-admission v0.28.2
dep k8s.io/utils v0.0.0-20231127182322-b307cd553661
dep sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
dep sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96
dep sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3
dep sigs.k8s.io/kustomize/kustomize/v5 v5.0.4-0.20230601165947-6ce0bf390ce3
dep sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3
dep sigs.k8s.io/structured-merge-diff/v4 v4.4.1
dep sigs.k8s.io/yaml v1.3.0
build -buildmode=exe
build -compiler=gc
build -ldflags="-X github.com/openshift/oc/pkg/version.versionFromGit=4.15.0-202402082307.p0.g48dcf59.assembly.stream.el8-48dcf59 -X github.com/openshift/oc/pkg/version.commitFromGit=48dcf5980a6671b5933707e5a055def023c7a13a -X github.com/openshift/oc/pkg/version.gitTreeState=clean -X github.com/openshift/oc/pkg/version.buildDate=2024-02-09T00:39:12Z -X k8s.io/component-base/version.gitMajor=1 -X k8s.io/component-base/version.gitMinor=28 -X k8s.io/component-base/version.gitVersion=v1.28.2 -X k8s.io/component-base/version.gitCommit=48dcf5980a6671b5933707e5a055def023c7a13a -X k8s.io/component-base/version.buildDate=2024-02-09T00:39:09Z -X k8s.io/component-base/version.gitTreeState=clean -X k8s.io/client-go/pkg/version.gitVersion=4.15.0-202402082307.p0.g48dcf59.assembly.stream.el8-48dcf59 -X k8s.io/client-go/pkg/version.gitCommit=48dcf5980a6671b5933707e5a055def023c7a13a -X k8s.io/client-go/pkg/version.buildDate=2024-02-09T00:39:09Z -X k8s.io/client-go/pkg/version.gitTreeState=clean"
build -tags=include_gcs,include_oss,containers_image_openpgp,gssapi,strictfipsruntime
build CGO_ENABLED=1
build CGO_CFLAGS=
build CGO_CPPFLAGS=
build CGO_CXXFLAGS=
build CGO_LDFLAGS=
build GOARCH=amd64
build GOEXPERIMENT=strictfipsruntime
build GOOS=linux
build GOAMD64=v1
build vcs=git
build vcs.revision=e133863872864eb8afbd3ac93ba248a3b0899142
build vcs.time=2024-02-08T23:20:13Z
build vcs.modified=true
- To print only the go-lang version:
$ go version -m oc-4.15.0 | head -n 1
oc-4.15.0: go1.20.12 X:strictfipsruntime
- If it is important to check a container image, pull the image, run the container, and copy the binary from its
ENTRYPOINTor its main binary.
For example the ETCD Operator image :
$ podman pull registry.redhat.io/openshift4/ose-cluster-etcd-rhel8-operator@sha256:bcd16291db9c8c4c0d86476a150e1029174e8db1413c609ef9a2a7a25c601dae
Trying to pull registry.redhat.io/openshift4/ose-cluster-etcd-rhel8-operator@sha256:bcd16291db9c8c4c0d86476a150e1029174e8db1413c609ef9a2a7a25c601dae...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 97da74cc6d8f done |
Copying blob d8190195889e done |
Copying blob ff889e2028b5 done |
Copying blob b075b3a86e06 done |
Copying blob 4a939d9ce9fd done |
Copying config e8fcc733aa done |
Writing manifest to image destination
Storing signatures
e8fcc733aa841277d51499bc369e0426c3344b5b959ea6ce1946bc3a94881c77
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.redhat.io/openshift4/ose-cluster-etcd-rhel8-operator <none> e8fcc733aa84 4 weeks ago 554 MB
$ podman run --rm -it e8fcc733aa84
[root@fba11cd6e691 /]#
And in a new terminal:
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b23024053391 registry.redhat.io/openshift4/ose-cluster-etcd-rhel8-operator@sha256:bcd16291db9c8c4c0d86476a150e1029174e8db1413c609ef9a2a7a25c601dae /bin/bash 3 seconds ago Up 3 seconds frosty_galois
$ podman cp b23024053391:/usr/bin/cluster-etcd-operator /tmp/cluster-etcd-operator
$ go version -m /tmp/cluster-etcd-operator | head -n1
/tmp/cluster-etcd-operator: go1.19.13 X:strictfipsruntime
Here it is visible that the cluster-etcd-operator was compiled and built using the go-lang v1.19.13.
Example of go-lang CVE
For example, CVE-2022-24675 is a CVE for a vulnerability in go-lang that was fixed in go-lang v1.18.1 and v1.17.9. If the version of go-lang in the binary is lower, then it is vulnerable to CVE-2022-24675.
Resources
- CVE-2022-24675
https://access.redhat.com/security/cve/CVE-2022-24675 - Description of CVE-2022-54675 in NVD
https://nvd.nist.gov/vuln/detail/CVE-2022-24675
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments