[SECURITY] Vulnerabilities reported by govulncheck for v5.6.0

[cmontemuino]

What did you do

git clone [email protected]:k3d-io/k3d.git && pushd k3d
git checkout v5.6.0
govulncheck ./...

What did you expect to happen

Found no vulnerabilities that could be fixed by upgrading dependencies.

Open PRs solving all of the reported vulnerabilities:

• build(deps): bump github.com/containerd/containerd from 1.7.3 to 1.7.11 #1385
• build(deps): bump golang.org/x/crypto from 0.0.0-20220411220226-7b82a4e95df4 to 0.17.0 in /docgen #1384
• build(deps): bump golang.org/x/net from 0.10.0 to 0.17.0 #1358

Screenshots or terminal output

govulncheck ./...
Scanning your code and 502 packages across 90 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2382
    Denial of service via chunk extensions in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2382
  Standard library
    Found in: net/http/[email protected]
    Fixed in: net/http/[email protected]
    Example traces found:
      #1: pkg/runtimes/docker/node.go:316:26: docker.Docker.ExecInNodeGetLogs calls io.ReadAll, which eventually calls internal.chunkedReader.Read

Vulnerability #2: GO-2023-2186
    Incorrect detection of reserved device names on Windows in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2186
  Standard library
    Found in: path/[email protected]
    Fixed in: path/[email protected]
    Example traces found:
      #1: pkg/runtimes/docker/util.go:105:61: docker.Docker.CopyToNode calls archive.PrepareArchiveCopy, which eventually calls filepath.IsLocal

Vulnerability #3: GO-2023-2185
    Insecure parsing of Windows paths with a \??\ prefix in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2185
  Standard library
    Found in: path/[email protected]
    Fixed in: path/[email protected]
    Platforms: windows
    Example traces found:
      #1: cmd/util/plugins.go:82:16: util.ExecPlugin calls exec.Cmd.Run, which eventually calls filepath.Abs
      #2: cmd/util/plugins.go:82:16: util.ExecPlugin calls exec.Cmd.Run, which eventually calls filepath.Abs
      #3: cmd/util/config/config.go:61:93: config.InitViperWithConfigFile calls filepath.Base
      #4: cmd/util/config/config.go:61:93: config.InitViperWithConfigFile calls filepath.Base
      #5: pkg/runtimes/docker/util.go:196:28: docker.GetDockerClient calls command.DockerCli.Initialize, which eventually calls filepath.Clean
      #6: pkg/runtimes/docker/util.go:196:28: docker.GetDockerClient calls command.DockerCli.Initialize, which eventually calls filepath.Clean
      #7: pkg/client/kubeconfig.go:82:39: client.KubeconfigGetWrite calls filepath.Dir
      #8: pkg/client/kubeconfig.go:82:39: client.KubeconfigGetWrite calls filepath.Dir
      #9: pkg/runtimes/docker/util.go:88:44: docker.Docker.CopyToNode calls archive.CopyInfoSourcePath, which eventually calls filepath.EvalSymlinks
      #10: pkg/runtimes/docker/util.go:88:44: docker.Docker.CopyToNode calls archive.CopyInfoSourcePath, which eventually calls filepath.EvalSymlinks
      #11: pkg/runtimes/docker/util.go:105:61: docker.Docker.CopyToNode calls archive.PrepareArchiveCopy, which eventually calls filepath.IsLocal
      #12: pkg/runtimes/docker/util.go:105:61: docker.Docker.CopyToNode calls archive.PrepareArchiveCopy, which eventually calls filepath.IsLocal
      #13: pkg/runtimes/docker/util.go:193:28: docker.GetDockerClient calls flags.ClientOptions.InstallFlags, which calls filepath.Join
      #14: pkg/runtimes/docker/util.go:193:28: docker.GetDockerClient calls flags.ClientOptions.InstallFlags, which calls filepath.Join
      #15: pkg/runtimes/docker/util.go:88:44: docker.Docker.CopyToNode calls archive.CopyInfoSourcePath, which eventually calls filepath.Split
      #16: pkg/runtimes/docker/util.go:88:44: docker.Docker.CopyToNode calls archive.CopyInfoSourcePath, which eventually calls filepath.Split
      #17: cmd/util/plugins.go:82:16: util.ExecPlugin calls exec.Cmd.Run, which eventually calls filepath.VolumeName
      #18: cmd/util/plugins.go:82:16: util.ExecPlugin calls exec.Cmd.Run, which eventually calls filepath.VolumeName
      #19: pkg/runtimes/docker/util.go:93:40: docker.Docker.CopyToNode calls archive.TarResource, which eventually calls filepath.WalkDir
      #20: pkg/runtimes/docker/util.go:93:40: docker.Docker.CopyToNode calls archive.TarResource, which eventually calls filepath.WalkDir

=== Informational ===

There are 8 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2023-2412
    RAPL accessibility in github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2023-2412
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/[email protected]
    Fixed in: github.com/containerd/[email protected]

Vulnerability #2: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Vulnerability #3: GO-2023-2102
    HTTP/2 rapid reset can cause excessive work in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2102
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]

Vulnerability #4: GO-2023-2045
    Memory exhaustion in QUIC connection handling in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-2045
  Standard library
    Found in: crypto/[email protected]
    Fixed in: crypto/[email protected]

Vulnerability #5: GO-2023-2044
    Panic when processing post-handshake message on QUIC connections in
    crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-2044
  Standard library
    Found in: crypto/[email protected]
    Fixed in: crypto/[email protected]

Vulnerability #6: GO-2023-2043
    Improper handling of special tags within script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2043
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]

Vulnerability #7: GO-2023-2041
    Improper handling of HTML-like comments in script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2041
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]

Vulnerability #8: GO-2023-1988
    Improper rendering of text nodes in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2023-1988
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Your code is affected by 3 vulnerabilities from the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback

Which OS & Architecture

N/A

Which version of k3d

v5.6.0

Which version of docker

N/A

[drbornot]

any result with this?

[cmontemuino]

PRs fixing the vulnerabilities have been auto-closed.
@iwilltry42 could it be possible to re-open the PRs linked in the description?
Alternatively I could create a new one if that helps.

[ranjanprasad1996]

Any update on this issue?

[iwilltry42]

They have been auto-closed because the dependencies have been updated back then.
There was just no new release until now - please checkout v5.6.2 👍