diff --git a/tools/dependency/BUILD b/tools/dependency/BUILD index b1e0af18c2aea..c2cfa4e8e17e4 100644 --- a/tools/dependency/BUILD +++ b/tools/dependency/BUILD @@ -28,8 +28,11 @@ py_binary( "cve_scan.py", "utils.py", ], + args = ["$(location :cve.yaml)"], data = [ + ":cve.yaml", ":exports", + requirement("envoy.base.utils"), ], ) diff --git a/tools/dependency/cve.yaml b/tools/dependency/cve.yaml new file mode 100644 index 0000000000000..25640f1decd94 --- /dev/null +++ b/tools/dependency/cve.yaml @@ -0,0 +1,83 @@ + +# We only look back a few years, since we shouldn't have any ancient deps. +start_year: 2018 + +ndist_url: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-{year}.json.gz + +# These CVEs are false positives for the match heuristics. An explanation is +# required when adding a new entry to this list as a comment. +ignore: +# Node.js issue unrelated to http-parser (napi_ API implementation). +- CVE-2020-8174 +# Node.js HTTP desync attack. Request smuggling due to CR and hyphen +# conflation in llhttp +# (https://github.com/nodejs/llhttp/commit/9d9da1d0f18599ceddd8f484df5a5ad694d23361). +# This was a result of using llparses toLowerUnsafe() for header keys. +# http-parser uses a TOKEN method that doesnt have the same issue for +# header fields. +- CVE-2020-8201 +# Node.js issue unrelated to http-parser. This is a DoS due to a lack of +# request/connection timeouts, see +# https://github.com/nodejs/node/commit/753f3b247a. +- CVE-2020-8251 +# Node.js issue unrelated to http-parser (libuv). +- CVE-2020-8252 +# Fixed via the nghttp2 1.41.0 bump in Envoy 8b6ea4. +- CVE-2020-11080 +# Node.js issue rooted in a c-ares bug. Does not appear to affect +# http-parser or our use of c-ares, c-ares has been bumped regardless. +- CVE-2020-8277 +# gRPC issue that only affects Javascript bindings. +- CVE-2020-7768 +# Node.js issue unrelated to http-parser, see +# https://github.com/mhart/StringStream/issues/7. +- CVE-2018-21270 +# These should not affect Curl 7.74.0, but we see false positives due to the +# relative release date and CPE wildcard. +- CVE-2020-8169 +- CVE-2020-8177 +- CVE-2020-8284 +# Low severity Curl issue with incorrect re-use of connections due to case +# in/sensitivity +- CVE-2021-22924 +# Node.js issue unrelated to http-parser (Node TLS). +- CVE-2020-8265 +# Node.js request smuggling. +# https://github.com/envoyproxy/envoy/pull/14686 validates that this does +# not apply to Envoy. +- CVE-2020-8287 +# Envoy is operating post Brotli 1.0.9 release, so not affected by this. +- CVE-2020-8927 +# Node.js issue unrelated to http-parser (*). +- CVE-2021-22883 +- CVE-2021-22884 +# False positive on the match heuristic, fixed in Curl 7.76.0. +- CVE-2021-22876 +- CVE-2021-22890 +# Node.js issues unrelated to http-parser. +# See https://nvd.nist.gov/vuln/detail/CVE-2021-22918 +# See https://nvd.nist.gov/vuln/detail/CVE-2021-22921 +# See https://nvd.nist.gov/vuln/detail/CVE-2021-22931 +# See https://nvd.nist.gov/vuln/detail/CVE-2021-22939 +# See https://nvd.nist.gov/vuln/detail/CVE-2021-22940 +- CVE-2021-22918 +- CVE-2021-22921 +- CVE-2021-22930 +- CVE-2021-22931 +- CVE-2021-22939 +- CVE-2021-22940 +# +# Currently, cvescan does not respect/understand versions (see #18354). +# +# The following CVEs target versions that are not currently used in the Envoy repo. +# +# libcurl +- CVE-2021-22945 +# +# kafka +- CVE-2021-38153 +# +# wasmtime +- CVE-2021-39216 +- CVE-2021-39218 +- CVE-2021-39219 diff --git a/tools/dependency/cve_scan.py b/tools/dependency/cve_scan.py index af4e70aa7cd0a..315780ae33010 100755 --- a/tools/dependency/cve_scan.py +++ b/tools/dependency/cve_scan.py @@ -12,86 +12,9 @@ import textwrap import urllib.request -import utils as dep_utils +from envoy.base import utils -# These CVEs are false positives for the match heuristics. An explanation is -# required when adding a new entry to this list as a comment. -IGNORES_CVES = set([ - # Node.js issue unrelated to http-parser (napi_ API implementation). - 'CVE-2020-8174', - # Node.js HTTP desync attack. Request smuggling due to CR and hyphen - # conflation in llhttp - # (https://github.com/nodejs/llhttp/commit/9d9da1d0f18599ceddd8f484df5a5ad694d23361). - # This was a result of using llparse's toLowerUnsafe() for header keys. - # http-parser uses a TOKEN method that doesn't have the same issue for - # header fields. - 'CVE-2020-8201', - # Node.js issue unrelated to http-parser. This is a DoS due to a lack of - # request/connection timeouts, see - # https://github.com/nodejs/node/commit/753f3b247a. - 'CVE-2020-8251', - # Node.js issue unrelated to http-parser (libuv). - 'CVE-2020-8252', - # Fixed via the nghttp2 1.41.0 bump in Envoy 8b6ea4. - 'CVE-2020-11080', - # Node.js issue rooted in a c-ares bug. Does not appear to affect - # http-parser or our use of c-ares, c-ares has been bumped regardless. - 'CVE-2020-8277', - # gRPC issue that only affects Javascript bindings. - 'CVE-2020-7768', - # Node.js issue unrelated to http-parser, see - # https://github.com/mhart/StringStream/issues/7. - 'CVE-2018-21270', - # These should not affect Curl 7.74.0, but we see false positives due to the - # relative release date and CPE wildcard. - 'CVE-2020-8169', - 'CVE-2020-8177', - 'CVE-2020-8284', - # Low severity Curl issue with incorrect re-use of connections due to case - # in/sensitivity - 'CVE-2021-22924', - # Node.js issue unrelated to http-parser (Node TLS). - 'CVE-2020-8265', - # Node.js request smuggling. - # https://github.com/envoyproxy/envoy/pull/14686 validates that this does - # not apply to Envoy. - 'CVE-2020-8287', - # Envoy is operating post Brotli 1.0.9 release, so not affected by this. - 'CVE-2020-8927', - # Node.js issue unrelated to http-parser (*). - 'CVE-2021-22883', - 'CVE-2021-22884', - # False positive on the match heuristic, fixed in Curl 7.76.0. - 'CVE-2021-22876', - 'CVE-2021-22890', - # Node.js issues unrelated to http-parser. - # See https://nvd.nist.gov/vuln/detail/CVE-2021-22918 - # See https://nvd.nist.gov/vuln/detail/CVE-2021-22921 - # See https://nvd.nist.gov/vuln/detail/CVE-2021-22931 - # See https://nvd.nist.gov/vuln/detail/CVE-2021-22939 - # See https://nvd.nist.gov/vuln/detail/CVE-2021-22940 - 'CVE-2021-22918', - 'CVE-2021-22921', - 'CVE-2021-22930', - 'CVE-2021-22931', - 'CVE-2021-22939', - 'CVE-2021-22940', - # - # Currently, cvescan does not respect/understand versions (see #18354). - # - # The following CVEs target versions that are not currently used in the Envoy repo. - # - # libcurl - "CVE-2021-22945", - # - # kafka - 'CVE-2021-38153', - # - # wasmtime - "CVE-2021-39216", - "CVE-2021-39218", - "CVE-2021-39219", -]) +import utils as dep_utils # Subset of CVE fields that are useful below. Cve = namedtuple( @@ -332,19 +255,18 @@ def cve_scan(cves, cpe_revmap, cve_allowlist, repository_locations): if __name__ == '__main__': + cve_config = utils.from_yaml(sys.argv[1]) + # Allow local overrides for NIST CVE database URLs via args. - urls = sys.argv[1:] + urls = sys.argv[2:] if not urls: - # We only look back a few years, since we shouldn't have any ancient deps. current_year = dt.datetime.now().year - scan_years = range(2018, current_year + 1) - urls = [ - f'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-{year}.json.gz' - for year in scan_years - ] + scan_years = range(cve_config["start_year"], current_year + 1) + urls = [cve_config["ndist_url"].format(year=year) for year in scan_years] cves, cpe_revmap = download_cve_data(urls) + possible_cves, cve_deps = cve_scan( - cves, cpe_revmap, IGNORES_CVES, dep_utils.repository_locations()) + cves, cpe_revmap, cve_config["ignore"], dep_utils.repository_locations()) if possible_cves: print( '\nBased on heuristic matching with the NIST CVE database, Envoy may be vulnerable to:')