Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go vulnerability scan #899

Merged
merged 1 commit into from
Mar 9, 2023
Merged

go vulnerability scan #899

merged 1 commit into from
Mar 9, 2023

Conversation

sheharyaar
Copy link
Contributor

Initial work on #889
Signed-off-by: Mohammad Shehar Yaar Tausif [email protected]

@sheharyaar
Copy link
Contributor Author

Is the changes to makefile sufficient? After makefile, I will make changes to GH actions

kranurag7
kranurag7 reviewed Sep 18, 2022
View reviewed changes
Copy link
Member

@kranurag7 kranurag7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sheharyaar Please look at the comment #889 (comment)

@sheharyaar
Copy link
Contributor Author

Made the changes to Makefile

@codecov-commenter
Copy link

codecov-commenter commented Sep 18, 2022
edited
Loading

Codecov Report

Merging #899 (809dd1a) into main (c4495f3) will decrease coverage by 0.04%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main     #899      +/-   ##
==========================================
- Coverage   38.92%   38.87%   -0.05%     
==========================================
  Files          31       31              
  Lines        9707     9707              
==========================================
- Hits         3778     3774       -4     
- Misses       5424     5429       +5     
+ Partials      505      504       -1
Impacted Files Coverage Δ
KubeArmor/feeder/policyMatcher.go 40.91% <0.00%> (-0.35%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@sheharyaar
Copy link
Contributor Author

@kranurag7 any more changes required in the Makefile?

kranurag7
kranurag7 requested changes Oct 18, 2022
View reviewed changes
Copy link
Member

@kranurag7 kranurag7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sheharyaar Sorry for late response. Instead of making changes in Makefile, you can change implement the same in GitHub actions in ci-test-go. Please check this for reference.

@nyrahul
Copy link
Contributor

nyrahul commented Nov 2, 2022
edited
Loading

@sheharyaar , Thanks for working on this. Do you have any updates on this?

One question, after running make scan with the PRs updated Makefile, do you see any issues reported that needs to be handled? Or is the report clean?

@sheharyaar
Copy link
Contributor Author

The report was clean after running make scan. I will update the PR as suggested by kanurag7.

@sheharyaar
Copy link
Contributor Author

@nyrahul after running govulncheck today, I got multiple informational vulnerabilities. Should I create a new Issue or just send them here.

@sheharyaar
Copy link
Contributor Author

Placing govulncheck in ci-test-go would cause action to fail even on informational vulnerabilities.

@nyrahul
Copy link
Contributor

nyrahul commented Nov 2, 2022

Placing govulncheck in ci-test-go would cause action to fail even on informational vulnerabilities.

Can you attach the make scan report here in the issue?

@sheharyaar
Copy link
Contributor Author

sheharyaar commented Nov 2, 2022
edited by nyrahul
Loading

Attached to the following link : govulnscan.log

Scan Report 
go install golang.org/x/vuln/cmd/govulncheck@latest ;\
cd /home/wazir/workspace/playground/temp/KubeArmor/KubeArmor;\
govulncheck -v ./... ;\
cd /home/wazir/workspace/playground/temp/KubeArmor/KubeArmor/BPF/tests;\
govulncheck -v ./... ;\
cd /home/wazir/workspace/playground/temp/KubeArmor/KubeArmor/../deployments;\
govulncheck -v ./... ;\
cd /home/wazir/workspace/playground/temp/KubeArmor/KubeArmor/../pkg/KubeArmorAnnotation ;\
govulncheck -v ./... ;\
cd /home/wazir/workspace/playground/temp/KubeArmor/KubeArmor/../pkg/KubeArmorController ;\
govulncheck -v ./... ;\
cd /home/wazir/workspace/playground/temp/KubeArmor/KubeArmor/../pkg/KubeArmorHostPolicy ;\
govulncheck -v ./... ;\
cd /home/wazir/workspace/playground/temp/KubeArmor/KubeArmor/../pkg/KubeArmorPolicy ;\
govulncheck -v ./... ;\

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 2 known vulnerabilities.

Vulnerability #1: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      #1: for function Cmd.CombinedOutput
        github.com/kubearmor/KubeArmor/KubeArmor/common.GetCommandOutputWithoutErr
            common/common.go:257:32
        os/exec.Cmd.CombinedOutput
      #2: for function Cmd.Run
        github.com/kubearmor/KubeArmor/KubeArmor/core.KubeArmorDaemon.WatchDefaultPosture
            core/kubeUpdate.go:2475:2
        k8s.io/client-go/informers.sharedInformerFactory.Start
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/informers/factory.go:134:4
        k8s.io/client-go/tools/cache.sharedIndexInformer.Run
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:443:18
        k8s.io/client-go/tools/cache.controller.Run
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/tools/cache/controller.go:155:12
        k8s.io/apimachinery/pkg/util/wait.Until
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:92:13
        k8s.io/apimachinery/pkg/util/wait.JitterUntil
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:135:14
        k8s.io/apimachinery/pkg/util/wait.BackoffUntil
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:158:4
        k8s.io/apimachinery/pkg/util/wait.BackoffUntil$1
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:157:5
        k8s.io/client-go/transport.dynamicClientCert.runWorker
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:151:27
        k8s.io/client-go/transport.dynamicClientCert.processNextWorkItem
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:162:28
        k8s.io/client-go/transport.dynamicClientCert.loadClientCert
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:65:23
        k8s.io/client-go/transport.TLSConfigFor$1
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/transport.go:119:31
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.cert
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:364:26
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.getCreds
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:379:32
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.refreshCredsLocked
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:435:15
        os/exec.Cmd.Run
      #3: for function Cmd.Start
        github.com/kubearmor/KubeArmor/KubeArmor/common.RunCommandAndWaitWithErr
            common/common.go:269:21
        os/exec.Cmd.Start
          There are 526 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: os/[email protected]
  Fixed in: os/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

Vulnerability #2: GO-2022-1039
  Programs which compile regular expressions from untrusted
  sources may be vulnerable to memory exhaustion or denial of
  service. The parsed regexp representation is linear in the size
  of the input, but in some cases the constant factor can be as
  high as 40,000, making relatively small regexps consume much
  larger amounts of memory. After fix, each regexp being parsed is
  limited to a 256 MB memory footprint. Regular expressions whose
  representation would use more space than that are rejected.
  Normal use of regular expressions is unaffected.

  Call stacks in your code:
      #1: for function Parse
        github.com/kubearmor/KubeArmor/KubeArmor/feeder.Feeder.UpdateHostSecurityPolicies
            feeder/policyMatcher.go:637:37
        regexp.Compile
            /usr/local/go/src/regexp/regexp.go:137:16
        regexp.compile
            /usr/local/go/src/regexp/regexp.go:174:25
        regexp/syntax.Parse
          There are 413 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: regexp/[email protected]
  Fixed in: regexp/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1039

Vulnerability #3: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      #1: for function StartProcess
        github.com/kubearmor/KubeArmor/KubeArmor/common.RunCommandAndWaitWithErr
            common/common.go:269:21
        os/exec.Cmd.Start
            /usr/local/go/src/os/exec/exec.go:524:34
        os.StartProcess
            /usr/local/go/src/os/exec.go:109:21
        os.startProcess
            /usr/local/go/src/os/exec_posix.go:54:35
        syscall.StartProcess
          There are 246 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: [email protected]
  Fixed in: [email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-1038
  Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value.

  After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
  Found in: net/http/[email protected]
  Fixed in: net/http/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1038

Vulnerability #2: GO-2022-0988
  JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0988

Vulnerability #3: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.
  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0969
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.

  In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
  Found in: [email protected]
  Fixed in: [email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

Vulnerability #2: GO-2022-0493
  When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.
  Found in: golang.org/x/sys/[email protected]
  Fixed in: golang.org/x/sys/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0493
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.

Vulnerability #1: GO-2022-1039
  Programs which compile regular expressions from untrusted
  sources may be vulnerable to memory exhaustion or denial of
  service. The parsed regexp representation is linear in the size
  of the input, but in some cases the constant factor can be as
  high as 40,000, making relatively small regexps consume much
  larger amounts of memory. After fix, each regexp being parsed is
  limited to a 256 MB memory footprint. Regular expressions whose
  representation would use more space than that are rejected.
  Normal use of regular expressions is unaffected.

  Call stacks in your code:
      #1: for function Parse
        github.com/kubearmor/KubeArmor/deployments.init
            main.go:16:2
        sigs.k8s.io/yaml.init
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/yaml.go:11:2
        gopkg.in/yaml.v2.init
            /home/wazir/go/pkg/mod/gopkg.in/[email protected]/resolve.go:84:40
        regexp.MustCompile
            /usr/local/go/src/regexp/regexp.go:317:24
        regexp.Compile
            /usr/local/go/src/regexp/regexp.go:137:16
        regexp.compile
            /usr/local/go/src/regexp/regexp.go:174:25
        regexp/syntax.Parse
          There are 17 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: regexp/[email protected]
  Fixed in: regexp/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1039

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.

  In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
  Found in: [email protected]
  Fixed in: [email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

Vulnerability #2: GO-2022-0988
  JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0988

Vulnerability #3: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.
  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0969
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 3 known vulnerabilities.

Vulnerability #1: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean
  shutdown that was preempted by a fatal error. This condition can
  be exploited by a malicious client to cause a denial of service.

  Call stacks in your code:
      #1: for function Server.Serve
        github.com/kubearmor/KubeArmor/pkg/KubeArmorAnnotation.main
            main.go:101:21
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.Start
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:445:18
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.serveMetrics
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:337:2
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.httpServe
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:361:2
        sigs.k8s.io/controller-runtime/pkg/manager.httpServe$1
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:363:25
        net/http.Server.Serve
          There are 13 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0969

Vulnerability #2: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      #1: for function Cmd.Output
        github.com/kubearmor/KubeArmor/pkg/KubeArmorAnnotation/controllers.PodRefresherReconciler.Reconcile
            controllers/pod-refresh.go:38:23
        sigs.k8s.io/controller-runtime/pkg/client.client.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/client.go:213:30
        sigs.k8s.io/controller-runtime/pkg/client.typedClient.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/typed_client.go:88:5
        k8s.io/client-go/rest.Request.Do
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:924:18
        k8s.io/client-go/rest.Request.request
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:883:25
        net/http.Client.Do
            /usr/local/go/src/net/http/client.go:581:13
        net/http.Client.do
            /usr/local/go/src/net/http/client.go:715:36
        net/http.Client.send
            /usr/local/go/src/net/http/client.go:175:30
        net/http.send
            /usr/local/go/src/net/http/client.go:251:26
        golang.org/x/oauth2.Transport.RoundTrip
            /home/wazir/go/pkg/mod/golang.org/x/[email protected]/transport.go:45:30
        k8s.io/client-go/plugin/pkg/client/auth/gcp.cachedTokenSource.Token
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/gcp/gcp.go:225:28
        k8s.io/client-go/plugin/pkg/client/auth/gcp.commandTokenSource.Token
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/gcp/gcp.go:307:27
        os/exec.Cmd.Output
      #2: for function Cmd.Run
        github.com/kubearmor/KubeArmor/pkg/KubeArmorAnnotation/controllers.PodRefresherReconciler.Reconcile
            controllers/pod-refresh.go:38:23
        sigs.k8s.io/controller-runtime/pkg/client.client.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/client.go:213:30
        sigs.k8s.io/controller-runtime/pkg/client.typedClient.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/typed_client.go:88:5
        k8s.io/client-go/rest.Request.Do
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:924:18
        k8s.io/client-go/rest.Request.request
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:883:25
        net/http.Client.Do
            /usr/local/go/src/net/http/client.go:581:13
        net/http.Client.do
            /usr/local/go/src/net/http/client.go:715:36
        net/http.Client.send
            /usr/local/go/src/net/http/client.go:175:30
        net/http.send
            /usr/local/go/src/net/http/client.go:251:26
        k8s.io/client-go/plugin/pkg/client/auth/exec.roundTripper.RoundTrip
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:336:28
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.getCreds
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:379:32
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.refreshCredsLocked
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:435:15
        os/exec.Cmd.Run
          There are 27 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: os/[email protected]
  Fixed in: os/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

Vulnerability #3: GO-2022-1039
  Programs which compile regular expressions from untrusted
  sources may be vulnerable to memory exhaustion or denial of
  service. The parsed regexp representation is linear in the size
  of the input, but in some cases the constant factor can be as
  high as 40,000, making relatively small regexps consume much
  larger amounts of memory. After fix, each regexp being parsed is
  limited to a 256 MB memory footprint. Regular expressions whose
  representation would use more space than that are rejected.
  Normal use of regular expressions is unaffected.

  Call stacks in your code:
      #1: for function Parse
        github.com/kubearmor/KubeArmor/pkg/KubeArmorAnnotation/controllers.init
            controllers/pod-refresh.go:12:2
        k8s.io/apimachinery/pkg/runtime.init
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/runtime/scheme.go:26:2
        k8s.io/apimachinery/pkg/util/naming.init
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/naming/from_stack.go:77:38
        regexp.MustCompile
            /usr/local/go/src/regexp/regexp.go:317:24
        regexp.Compile
            /usr/local/go/src/regexp/regexp.go:137:16
        regexp.compile
            /usr/local/go/src/regexp/regexp.go:174:25
        regexp/syntax.Parse
          There are 14 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: regexp/[email protected]
  Fixed in: regexp/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1039

Vulnerability #4: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      #1: for function StartProcess
        github.com/kubearmor/KubeArmor/pkg/KubeArmorAnnotation/controllers.PodRefresherReconciler.Reconcile
            controllers/pod-refresh.go:38:23
        sigs.k8s.io/controller-runtime/pkg/client.client.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/client.go:213:30
        sigs.k8s.io/controller-runtime/pkg/client.typedClient.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/typed_client.go:88:5
        k8s.io/client-go/rest.Request.Do
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:924:18
        k8s.io/client-go/rest.Request.request
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:883:25
        net/http.Client.Do
            /usr/local/go/src/net/http/client.go:581:13
        net/http.Client.do
            /usr/local/go/src/net/http/client.go:715:36
        net/http.Client.send
            /usr/local/go/src/net/http/client.go:175:30
        net/http.send
            /usr/local/go/src/net/http/client.go:251:26
        k8s.io/client-go/plugin/pkg/client/auth/exec.roundTripper.RoundTrip
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:336:28
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.getCreds
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:379:32
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.refreshCredsLocked
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:435:15
        os/exec.Cmd.Run
            /usr/local/go/src/os/exec/exec.go:434:19
        os/exec.Cmd.Start
            /usr/local/go/src/os/exec/exec.go:524:34
        os.StartProcess
            /usr/local/go/src/os/exec.go:109:21
        os.startProcess
            /usr/local/go/src/os/exec_posix.go:54:35
        syscall.StartProcess
          There are 14 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: [email protected]
  Fixed in: [email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0988
  JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0988
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 3 known vulnerabilities.

Vulnerability #1: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean
  shutdown that was preempted by a fatal error. This condition can
  be exploited by a malicious client to cause a denial of service.

  Call stacks in your code:
      #1: for function Server.Serve
        github.com/kubearmor/KubeArmor/pkg/KubeArmorController.main
            main.go:136:21
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.Start
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:445:18
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.serveMetrics
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:337:2
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.httpServe
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:361:2
        sigs.k8s.io/controller-runtime/pkg/manager.httpServe$1
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:363:25
        net/http.Server.Serve
          There are 20 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0969

Vulnerability #2: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      #1: for function Cmd.Output
        github.com/kubearmor/KubeArmor/pkg/KubeArmorController/controllers.PodRefresherReconciler.Reconcile
            controllers/podrefresh_controller.go:39:23
        sigs.k8s.io/controller-runtime/pkg/client.client.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/client.go:213:30
        sigs.k8s.io/controller-runtime/pkg/client.typedClient.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/typed_client.go:88:5
        k8s.io/client-go/rest.Request.Do
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:924:18
        k8s.io/client-go/rest.Request.request
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:883:25
        net/http.Client.Do
            /usr/local/go/src/net/http/client.go:581:13
        net/http.Client.do
            /usr/local/go/src/net/http/client.go:715:36
        net/http.Client.send
            /usr/local/go/src/net/http/client.go:175:30
        net/http.send
            /usr/local/go/src/net/http/client.go:251:26
        golang.org/x/oauth2.Transport.RoundTrip
            /home/wazir/go/pkg/mod/golang.org/x/[email protected]/transport.go:45:30
        k8s.io/client-go/plugin/pkg/client/auth/gcp.cachedTokenSource.Token
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/gcp/gcp.go:225:28
        k8s.io/client-go/plugin/pkg/client/auth/gcp.commandTokenSource.Token
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/gcp/gcp.go:307:27
        os/exec.Cmd.Output
      #2: for function Cmd.Run
        github.com/kubearmor/KubeArmor/pkg/KubeArmorController/controllers.PodRefresherReconciler.Reconcile
            controllers/podrefresh_controller.go:39:23
        sigs.k8s.io/controller-runtime/pkg/client.client.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/client.go:213:30
        sigs.k8s.io/controller-runtime/pkg/client.typedClient.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/typed_client.go:88:5
        k8s.io/client-go/rest.Request.Do
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:924:18
        k8s.io/client-go/rest.Request.request
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:883:25
        net/http.Client.Do
            /usr/local/go/src/net/http/client.go:581:13
        net/http.Client.do
            /usr/local/go/src/net/http/client.go:715:36
        net/http.Client.send
            /usr/local/go/src/net/http/client.go:175:30
        net/http.send
            /usr/local/go/src/net/http/client.go:251:26
        k8s.io/client-go/plugin/pkg/client/auth/exec.roundTripper.RoundTrip
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:336:28
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.getCreds
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:379:32
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.refreshCredsLocked
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:435:15
        os/exec.Cmd.Run
          There are 43 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: os/[email protected]
  Fixed in: os/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

Vulnerability #3: GO-2022-1039
  Programs which compile regular expressions from untrusted
  sources may be vulnerable to memory exhaustion or denial of
  service. The parsed regexp representation is linear in the size
  of the input, but in some cases the constant factor can be as
  high as 40,000, making relatively small regexps consume much
  larger amounts of memory. After fix, each regexp being parsed is
  limited to a 256 MB memory footprint. Regular expressions whose
  representation would use more space than that are rejected.
  Normal use of regular expressions is unaffected.

  Call stacks in your code:
      #1: for function Parse
        github.com/kubearmor/KubeArmor/pkg/KubeArmorController/controllers.init
            controllers/kubearmorhostpolicy_controller.go:14:2
        k8s.io/apimachinery/pkg/runtime.init
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/runtime/scheme.go:26:2
        k8s.io/apimachinery/pkg/util/naming.init
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/naming/from_stack.go:77:38
        regexp.MustCompile
            /usr/local/go/src/regexp/regexp.go:317:24
        regexp.Compile
            /usr/local/go/src/regexp/regexp.go:137:16
        regexp.compile
            /usr/local/go/src/regexp/regexp.go:174:25
        regexp/syntax.Parse
          There are 21 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: regexp/[email protected]
  Fixed in: regexp/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1039

Vulnerability #4: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      #1: for function StartProcess
        github.com/kubearmor/KubeArmor/pkg/KubeArmorController/controllers.PodRefresherReconciler.Reconcile
            controllers/podrefresh_controller.go:39:23
        sigs.k8s.io/controller-runtime/pkg/client.client.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/client.go:213:30
        sigs.k8s.io/controller-runtime/pkg/client.typedClient.Delete
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/typed_client.go:88:5
        k8s.io/client-go/rest.Request.Do
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:924:18
        k8s.io/client-go/rest.Request.request
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:883:25
        net/http.Client.Do
            /usr/local/go/src/net/http/client.go:581:13
        net/http.Client.do
            /usr/local/go/src/net/http/client.go:715:36
        net/http.Client.send
            /usr/local/go/src/net/http/client.go:175:30
        net/http.send
            /usr/local/go/src/net/http/client.go:251:26
        k8s.io/client-go/plugin/pkg/client/auth/exec.roundTripper.RoundTrip
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:336:28
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.getCreds
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:379:32
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.refreshCredsLocked
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:435:15
        os/exec.Cmd.Run
            /usr/local/go/src/os/exec/exec.go:434:19
        os/exec.Cmd.Start
            /usr/local/go/src/os/exec/exec.go:524:34
        os.StartProcess
            /usr/local/go/src/os/exec.go:109:21
        os.startProcess
            /usr/local/go/src/os/exec_posix.go:54:35
        syscall.StartProcess
          There are 23 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: [email protected]
  Fixed in: [email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0988
  JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0988
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 3 known vulnerabilities.

Vulnerability #1: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean
  shutdown that was preempted by a fatal error. This condition can
  be exploited by a malicious client to cause a denial of service.

  Call stacks in your code:
      #1: for function Server.Serve
        github.com/kubearmor/KubeArmor/pkg/KubeArmorHostPolicy.main
            main.go:75:21
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.Start
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:445:18
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.serveMetrics
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:337:2
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.httpServe
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:361:2
        sigs.k8s.io/controller-runtime/pkg/manager.httpServe$1
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:363:25
        net/http.Server.Serve

  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0969

Vulnerability #2: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      #1: for function Cmd.Output
        github.com/kubearmor/KubeArmor/pkg/KubeArmorHostPolicy/client/clientset/versioned/typed/security.kubearmor.com/v1.kubeArmorHostPolicies.Watch
            client/clientset/versioned/typed/security.kubearmor.com/v1/kubearmorhostpolicy.go:91:8
        k8s.io/client-go/rest.Request.Watch
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:639:25
        net/http.Client.Do
            /usr/local/go/src/net/http/client.go:581:13
        net/http.Client.do
            /usr/local/go/src/net/http/client.go:715:36
        net/http.Client.send
            /usr/local/go/src/net/http/client.go:175:30
        net/http.send
            /usr/local/go/src/net/http/client.go:251:26
        golang.org/x/oauth2.Transport.RoundTrip
            /home/wazir/go/pkg/mod/golang.org/x/[email protected]/transport.go:45:30
        k8s.io/client-go/plugin/pkg/client/auth/gcp.cachedTokenSource.Token
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/gcp/gcp.go:225:28
        k8s.io/client-go/plugin/pkg/client/auth/gcp.commandTokenSource.Token
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/gcp/gcp.go:307:27
        os/exec.Cmd.Output
      #2: for function Cmd.Run
        github.com/kubearmor/KubeArmor/pkg/KubeArmorHostPolicy/client/informers/externalversions.sharedInformerFactory.Start
            client/informers/externalversions/factory.go:104:4
        k8s.io/client-go/tools/cache.sharedIndexInformer.Run
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:443:18
        k8s.io/client-go/tools/cache.controller.Run
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/tools/cache/controller.go:155:12
        k8s.io/apimachinery/pkg/util/wait.Until
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:92:13
        k8s.io/apimachinery/pkg/util/wait.JitterUntil
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:135:14
        k8s.io/apimachinery/pkg/util/wait.BackoffUntil
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:158:4
        k8s.io/apimachinery/pkg/util/wait.BackoffUntil$1
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:157:5
        k8s.io/client-go/transport.dynamicClientCert.runWorker
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:151:27
        k8s.io/client-go/transport.dynamicClientCert.processNextWorkItem
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:162:28
        k8s.io/client-go/transport.dynamicClientCert.loadClientCert
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:65:23
        k8s.io/client-go/transport.TLSConfigFor$1
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/transport.go:119:31
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.cert
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:364:26
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.getCreds
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:379:32
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.refreshCredsLocked
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:435:15
        os/exec.Cmd.Run
          There are 150 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: os/[email protected]
  Fixed in: os/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

Vulnerability #3: GO-2022-1039
  Programs which compile regular expressions from untrusted
  sources may be vulnerable to memory exhaustion or denial of
  service. The parsed regexp representation is linear in the size
  of the input, but in some cases the constant factor can be as
  high as 40,000, making relatively small regexps consume much
  larger amounts of memory. After fix, each regexp being parsed is
  limited to a 256 MB memory footprint. Regular expressions whose
  representation would use more space than that are rejected.
  Normal use of regular expressions is unaffected.

  Call stacks in your code:
      #1: for function Parse
        github.com/kubearmor/KubeArmor/pkg/KubeArmorHostPolicy/client/listers/security.kubearmor.com/v1.init
            client/listers/security.kubearmor.com/v1/kubearmorhostpolicy.go:11:2
        k8s.io/apimachinery/pkg/labels.init
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/labels/selector.go:27:2
        k8s.io/apimachinery/pkg/util/validation.init
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/validation/validation.go:37:45
        regexp.MustCompile
            /usr/local/go/src/regexp/regexp.go:317:24
        regexp.Compile
            /usr/local/go/src/regexp/regexp.go:137:16
        regexp.compile
            /usr/local/go/src/regexp/regexp.go:174:25
        regexp/syntax.Parse
          There are 103 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: regexp/[email protected]
  Fixed in: regexp/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1039

Vulnerability #4: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      #1: for function StartProcess
        github.com/kubearmor/KubeArmor/pkg/KubeArmorHostPolicy/client/informers/externalversions.sharedInformerFactory.Start
            client/informers/externalversions/factory.go:104:4
        k8s.io/client-go/tools/cache.sharedIndexInformer.Run
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:443:18
        k8s.io/client-go/tools/cache.controller.Run
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/tools/cache/controller.go:155:12
        k8s.io/apimachinery/pkg/util/wait.Until
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:92:13
        k8s.io/apimachinery/pkg/util/wait.JitterUntil
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:135:14
        k8s.io/apimachinery/pkg/util/wait.BackoffUntil
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:158:4
        k8s.io/apimachinery/pkg/util/wait.BackoffUntil$1
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:157:5
        k8s.io/client-go/transport.dynamicClientCert.runWorker
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:151:27
        k8s.io/client-go/transport.dynamicClientCert.processNextWorkItem
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:162:28
        k8s.io/client-go/transport.dynamicClientCert.loadClientCert
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:65:23
        k8s.io/client-go/transport.TLSConfigFor$1
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/transport.go:119:31
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.cert
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:364:26
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.getCreds
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:379:32
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.refreshCredsLocked
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:435:15
        os/exec.Cmd.Run
            /usr/local/go/src/os/exec/exec.go:434:19
        os/exec.Cmd.Start
            /usr/local/go/src/os/exec/exec.go:524:34
        os.StartProcess
            /usr/local/go/src/os/exec.go:109:21
        os.startProcess
            /usr/local/go/src/os/exec_posix.go:54:35
        syscall.StartProcess
          There are 77 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: [email protected]
  Fixed in: [email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0988
  JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0988
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 3 known vulnerabilities.

Vulnerability #1: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean
  shutdown that was preempted by a fatal error. This condition can
  be exploited by a malicious client to cause a denial of service.

  Call stacks in your code:
      #1: for function Server.Serve
        github.com/kubearmor/KubeArmor/pkg/KubeArmorPolicy.main
            main.go:76:21
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.Start
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:445:18
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.serveMetrics
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:337:2
        sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.httpServe
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:361:2
        sigs.k8s.io/controller-runtime/pkg/manager.httpServe$1
            /home/wazir/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:363:25
        net/http.Server.Serve

  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0969

Vulnerability #2: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      #1: for function Cmd.Output
        github.com/kubearmor/KubeArmor/pkg/KubeArmorPolicy/client/clientset/versioned/typed/security.kubearmor.com/v1.kubeArmorPolicies.Watch
            client/clientset/versioned/typed/security.kubearmor.com/v1/kubearmorpolicy.go:96:8
        k8s.io/client-go/rest.Request.Watch
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/rest/request.go:639:25
        net/http.Client.Do
            /usr/local/go/src/net/http/client.go:581:13
        net/http.Client.do
            /usr/local/go/src/net/http/client.go:715:36
        net/http.Client.send
            /usr/local/go/src/net/http/client.go:175:30
        net/http.send
            /usr/local/go/src/net/http/client.go:251:26
        golang.org/x/oauth2.Transport.RoundTrip
            /home/wazir/go/pkg/mod/golang.org/x/[email protected]/transport.go:45:30
        k8s.io/client-go/plugin/pkg/client/auth/gcp.cachedTokenSource.Token
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/gcp/gcp.go:225:28
        k8s.io/client-go/plugin/pkg/client/auth/gcp.commandTokenSource.Token
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/gcp/gcp.go:307:27
        os/exec.Cmd.Output
      #2: for function Cmd.Run
        github.com/kubearmor/KubeArmor/pkg/KubeArmorPolicy/client/informers/externalversions.sharedInformerFactory.Start
            client/informers/externalversions/factory.go:104:4
        k8s.io/client-go/tools/cache.sharedIndexInformer.Run
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:443:18
        k8s.io/client-go/tools/cache.controller.Run
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/tools/cache/controller.go:155:12
        k8s.io/apimachinery/pkg/util/wait.Until
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:92:13
        k8s.io/apimachinery/pkg/util/wait.JitterUntil
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:135:14
        k8s.io/apimachinery/pkg/util/wait.BackoffUntil
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:158:4
        k8s.io/apimachinery/pkg/util/wait.BackoffUntil$1
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:157:5
        k8s.io/client-go/transport.dynamicClientCert.runWorker
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:151:27
        k8s.io/client-go/transport.dynamicClientCert.processNextWorkItem
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:162:28
        k8s.io/client-go/transport.dynamicClientCert.loadClientCert
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:65:23
        k8s.io/client-go/transport.TLSConfigFor$1
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/transport.go:119:31
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.cert
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:364:26
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.getCreds
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:379:32
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.refreshCredsLocked
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:435:15
        os/exec.Cmd.Run
          There are 152 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: os/[email protected]
  Fixed in: os/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

Vulnerability #3: GO-2022-1039
  Programs which compile regular expressions from untrusted
  sources may be vulnerable to memory exhaustion or denial of
  service. The parsed regexp representation is linear in the size
  of the input, but in some cases the constant factor can be as
  high as 40,000, making relatively small regexps consume much
  larger amounts of memory. After fix, each regexp being parsed is
  limited to a 256 MB memory footprint. Regular expressions whose
  representation would use more space than that are rejected.
  Normal use of regular expressions is unaffected.

  Call stacks in your code:
      #1: for function Parse
        github.com/kubearmor/KubeArmor/pkg/KubeArmorPolicy/client/listers/security.kubearmor.com/v1.init
            client/listers/security.kubearmor.com/v1/kubearmorpolicy.go:11:2
        k8s.io/apimachinery/pkg/labels.init
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/labels/selector.go:27:2
        k8s.io/apimachinery/pkg/util/validation.init
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/validation/validation.go:37:45
        regexp.MustCompile
            /usr/local/go/src/regexp/regexp.go:317:24
        regexp.Compile
            /usr/local/go/src/regexp/regexp.go:137:16
        regexp.compile
            /usr/local/go/src/regexp/regexp.go:174:25
        regexp/syntax.Parse
          There are 104 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: regexp/[email protected]
  Fixed in: regexp/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1039

Vulnerability #4: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      #1: for function StartProcess
        github.com/kubearmor/KubeArmor/pkg/KubeArmorPolicy/client/informers/externalversions.sharedInformerFactory.Start
            client/informers/externalversions/factory.go:104:4
        k8s.io/client-go/tools/cache.sharedIndexInformer.Run
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:443:18
        k8s.io/client-go/tools/cache.controller.Run
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/tools/cache/controller.go:155:12
        k8s.io/apimachinery/pkg/util/wait.Until
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:92:13
        k8s.io/apimachinery/pkg/util/wait.JitterUntil
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:135:14
        k8s.io/apimachinery/pkg/util/wait.BackoffUntil
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:158:4
        k8s.io/apimachinery/pkg/util/wait.BackoffUntil$1
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:157:5
        k8s.io/client-go/transport.dynamicClientCert.runWorker
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:151:27
        k8s.io/client-go/transport.dynamicClientCert.processNextWorkItem
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:162:28
        k8s.io/client-go/transport.dynamicClientCert.loadClientCert
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/cert_rotation.go:65:23
        k8s.io/client-go/transport.TLSConfigFor$1
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/transport/transport.go:119:31
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.cert
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:364:26
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.getCreds
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:379:32
        k8s.io/client-go/plugin/pkg/client/auth/exec.Authenticator.refreshCredsLocked
            /home/wazir/go/pkg/mod/k8s.io/[email protected]/plugin/pkg/client/auth/exec/exec.go:435:15
        os/exec.Cmd.Run
            /usr/local/go/src/os/exec/exec.go:434:19
        os/exec.Cmd.Start
            /usr/local/go/src/os/exec/exec.go:524:34
        os.StartProcess
            /usr/local/go/src/os/exec.go:109:21
        os.startProcess
            /usr/local/go/src/os/exec_posix.go:54:35
        syscall.StartProcess
          There are 78 more call stacks available.
      To see all of them, pass the -json flags.

  Found in: [email protected]
  Fixed in: [email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0988
  JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0988

@nyrahul
Copy link
Contributor

nyrahul commented Nov 2, 2022

Thanks.
I see that there are 2 vulnerabilities reported directly in the kubearmor code and I believe these should be easily fixable and should be fixed in this PR.
Other informational vulnerabilities are in the deps.

@sheharyaar
Copy link
Contributor Author

Sure, I will do the required in this PR.Should I move the scan to ci-test-go or let it be in the Makefile. As any informational vulnerabilities in the deps too would cause the build to fail.

@sheharyaar
Copy link
Contributor Author

@nyrahul , the scan report I sent was for go 1.19. My bad for noticing it earlier. The informational vulnerabilities which have been reported have been already backported to golang packagges. I attach the report from golang:1.18.8-bullseye docker image. Current version of Kuberarmor does not have any vulnerable functions that are being called.

govulnscan.log

@sheharyaar
Copy link
Contributor Author

I quote the documentation :

Govulncheck only reports vulnerabilities that apply to the current Go version. For example, a standard library vulnerability that only applies for Go 1.18 will not be reported if the current Go version is 1.19. See https://go.dev/issue/54841 for updates to this limitation.

@sheharyaar
add make scan to Makefile
19a7914 
Signed-off-by: Mohammad Shehar Yaar Tausif <[email protected]>
@nyrahul
Copy link
Contributor

nyrahul commented Feb 9, 2023

Verified that there are no vulnerabilities reported by govulncheck if the golang version >=1.19.4 is used.

I am merging these changes since manual verification using make scan is possible with this PR. Let's handle GH action check in a separate PR.

nyrahul
nyrahul approved these changes Feb 9, 2023
View reviewed changes
Copy link
Contributor

@nyrahul nyrahul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sheharyaar
Copy link
Contributor Author

Thanks for approving the PR. I am glad to be able to contribute to the project :)

kranurag7
kranurag7 approved these changes Feb 9, 2023
View reviewed changes
Copy link
Member

@kranurag7 kranurag7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM @sheharyaar, Can you also do the same for kubearmor-client repo?

@sheharyaar
Copy link
Contributor Author

Sure, I will create a PR there with the changes

@sheharyaar
Copy link
Contributor Author

Done. PR at https://github.com/kubearmor/kubearmor-client/pull/262/files

@nyrahul nyrahul merged commit 0f7c3e3 into kubearmor:main Mar 9, 2023
@kranurag7 kranurag7 mentioned this pull request Oct 15, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nyrahul nyrahul nyrahul approved these changes

@kranurag7 kranurag7 kranurag7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sheharyaar @codecov-commenter @nyrahul @kranurag7