fix: update vulnerability suppression for buger/jsonparser to reflect upstream fix availability
This commit is contained in:
GitHub Actions
59
.grype.yaml
59
.grype.yaml
@@ -203,45 +203,47 @@ ignore:
|
||||
# GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
|
||||
# Severity: HIGH (CVSS 7.5)
|
||||
# Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
|
||||
# Status: NO upstream fix available — OSV marks "Last affected: v1.1.1" with no Fixed event
|
||||
# Status: UPSTREAM FIX EXISTS (v1.1.2 released 2026-03-20) — awaiting CrowdSec to update dependency
|
||||
# NOTE: As of 2026-04-20, grype v0.111.0 with fresh DB no longer flags this finding in the image.
|
||||
# This suppression is retained as a safety net in case future DB updates re-surface it.
|
||||
#
|
||||
# Vulnerability Details:
|
||||
# - The Delete function fails to validate offsets on malformed JSON input, producing a
|
||||
# negative slice index and a runtime panic — denial of service (CWE-125).
|
||||
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||||
#
|
||||
# Root Cause (Third-Party Binary + No Upstream Fix):
|
||||
# Root Cause (Third-Party Binary — Fix Exists Upstream, Not Yet in CrowdSec):
|
||||
# - Charon does not use buger/jsonparser directly. It is compiled into CrowdSec binaries.
|
||||
# - The buger/jsonparser repository has no released fix as of 2026-03-19 (GitHub issue #275
|
||||
# and golang/vulndb #4514 are both open).
|
||||
# - Fix path: once buger/jsonparser releases a patched version and CrowdSec updates their
|
||||
# dependency, rebuild the Docker image and remove this suppression.
|
||||
# - buger/jsonparser released v1.1.2 on 2026-03-20 fixing issue #275.
|
||||
# - CrowdSec has not yet released a version built with buger/jsonparser v1.1.2.
|
||||
# - Fix path: once CrowdSec updates their dependency and rebuilds, rebuild the Docker image
|
||||
# and remove this suppression.
|
||||
#
|
||||
# Risk Assessment: ACCEPTED (Limited exploitability + no upstream fix)
|
||||
# Risk Assessment: ACCEPTED (Limited exploitability; fix exists upstream but not yet in CrowdSec)
|
||||
# - The DoS vector requires passing malformed JSON to the vulnerable Delete function within
|
||||
# CrowdSec's internal processing pipeline; this is not a direct attack surface in Charon.
|
||||
# - CrowdSec's exposed surface is its HTTP API (not raw JSON stream parsing via this path).
|
||||
#
|
||||
# Mitigation (active while suppression is in effect):
|
||||
# - Monitor buger/jsonparser: https://github.com/buger/jsonparser/issues/275
|
||||
# - Monitor CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||||
# - Monitor CrowdSec releases for a build using buger/jsonparser >= v1.1.2.
|
||||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||||
# - Weekly CI security rebuild flags the moment a fixed image ships.
|
||||
#
|
||||
# Review:
|
||||
# - Reviewed 2026-03-19 (initial suppression): no upstream fix exists. Set 30-day review.
|
||||
# - Extended 2026-04-04: no upstream fix available. buger/jsonparser issue #275 still open.
|
||||
# - Next review: 2026-05-19. Remove suppression once buger/jsonparser ships a fix and
|
||||
# CrowdSec updates their dependency.
|
||||
# - Reviewed 2026-03-19 (initial suppression): no upstream fix. Set 30-day review.
|
||||
# - Extended 2026-04-04: no upstream fix. buger/jsonparser issue #275 still open.
|
||||
# - Updated 2026-04-20: buger/jsonparser v1.1.2 released 2026-03-20. CrowdSec not yet updated.
|
||||
# Grype v0.111.0 with fresh DB (2026-04-20) no longer flags this finding. Suppression retained
|
||||
# as a safety net. Next review: 2026-05-19 — remove if CrowdSec ships with v1.1.2+.
|
||||
#
|
||||
# Removal Criteria:
|
||||
# - buger/jsonparser releases a patched version (v1.1.2 or higher)
|
||||
# - CrowdSec releases a version built with the patched jsonparser
|
||||
# - CrowdSec releases a version built with buger/jsonparser >= v1.1.2
|
||||
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
|
||||
# - Remove this entry and the corresponding .trivyignore entry simultaneously
|
||||
#
|
||||
# References:
|
||||
# - GHSA-6g7g-w4f8-9c9x: https://github.com/advisories/GHSA-6g7g-w4f8-9c9x
|
||||
# - Upstream issue: https://github.com/buger/jsonparser/issues/275
|
||||
# - Upstream fix: https://github.com/buger/jsonparser/releases/tag/v1.1.2
|
||||
# - golang/vulndb: https://github.com/golang/vulndb/issues/4514
|
||||
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
|
||||
- vulnerability: GHSA-6g7g-w4f8-9c9x
|
||||
@@ -251,21 +253,20 @@ ignore:
|
||||
type: go-module
|
||||
reason: |
|
||||
HIGH — DoS panic via malformed JSON in buger/jsonparser v1.1.1 embedded in CrowdSec binaries.
|
||||
No upstream fix: buger/jsonparser has no released patch as of 2026-03-19 (issue #275 open).
|
||||
Charon does not use this package directly; the vector requires reaching CrowdSec's internal
|
||||
JSON processing pipeline. Risk accepted; no remediation path until upstream ships a fix.
|
||||
Reviewed 2026-03-19: no patched release available.
|
||||
expiry: "2026-05-19" # Extended 2026-04-04: no upstream fix. Next review 2026-05-19.
|
||||
Upstream fix: buger/jsonparser v1.1.2 released 2026-03-20; CrowdSec has not yet updated their
|
||||
dependency. Grype no longer flags this as of 2026-04-20 (fresh DB). Suppression retained as
|
||||
safety net pending CrowdSec update. Charon does not use this package directly.
|
||||
Updated 2026-04-20: fix v1.1.2 exists upstream; awaiting CrowdSec dependency update.
|
||||
expiry: "2026-05-19" # Review 2026-05-19: remove if CrowdSec ships with buger/jsonparser >= v1.1.2.
|
||||
|
||||
# Action items when this suppression expires:
|
||||
# 1. Check buger/jsonparser releases: https://github.com/buger/jsonparser/releases
|
||||
# and issue #275: https://github.com/buger/jsonparser/issues/275
|
||||
# 2. If a fix has shipped AND CrowdSec has updated their dependency:
|
||||
# a. Rebuild Docker image and run local security-scan-docker-image
|
||||
# b. Remove this suppression entry and the corresponding .trivyignore entry
|
||||
# 3. If no fix yet: Extend expiry by 30 days and update the review comment above
|
||||
# 4. If extended 3+ times with no progress: Consider opening an issue upstream or
|
||||
# evaluating whether CrowdSec can replace buger/jsonparser with a safe alternative
|
||||
# 1. Check if CrowdSec has released a version with buger/jsonparser >= v1.1.2:
|
||||
# https://github.com/crowdsecurity/crowdsec/releases
|
||||
# 2. If CrowdSec has updated: rebuild Docker image, run security-scan-docker-image,
|
||||
# and remove this suppression entry and the corresponding .trivyignore entry
|
||||
# 3. If grype still does not flag it with fresh DB: consider removing the suppression as
|
||||
# it may no longer be necessary
|
||||
# 4. If no CrowdSec update yet: Extend expiry by 30 days
|
||||
|
||||
# GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
|
||||
# Severity: HIGH (CVSS 7.5)
|
||||
|
||||
Reference in New Issue
Block a user