diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml index 4a77cc74..205b4385 100644 --- a/.github/workflows/security-pr.yml +++ b/.github/workflows/security-pr.yml @@ -364,7 +364,7 @@ jobs: - name: Run Trivy filesystem scan (SARIF output) if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request' - # aquasecurity/trivy-action v0.33.1 + # aquasecurity/trivy-action 0.35.0 uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 with: scan-type: 'fs' @@ -396,7 +396,7 @@ jobs: - name: Run Trivy filesystem scan (fail on CRITICAL/HIGH) if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request' - # aquasecurity/trivy-action v0.33.1 + # aquasecurity/trivy-action 0.35.0 uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 with: scan-type: 'fs' diff --git a/.grype.yaml b/.grype.yaml index dfe28943..f156ee27 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -32,7 +32,8 @@ ignore: # # Review: # - Reviewed 2026-03-18 (initial suppression): no upstream fix available. Set 30-day review. - # - Next review: 2026-04-18. Remove suppression immediately once upstream fixes. + # - Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. No upstream fix available. + # - Next review: 2026-05-18. Remove suppression immediately once upstream fixes. # # Removal Criteria: # - Alpine publishes a patched version of libcrypto3 and libssl3 @@ -52,7 +53,7 @@ ignore: No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-03-18. Charon terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server. Risk accepted pending Alpine upstream patch. - expiry: "2026-04-18" # Initial 30-day review period. Extend in 14–30 day increments with documented justification. + expiry: "2026-05-18" # Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. Next review 2026-05-18. # Action items when this suppression expires: # 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673 @@ -74,7 +75,7 @@ ignore: No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-03-18. Charon terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server. Risk accepted pending Alpine upstream patch. - expiry: "2026-04-18" # Initial 30-day review period. See libcrypto3 entry above for action items. + expiry: "2026-05-18" # Extended 2026-04-04: see libcrypto3 entry above for action items. # GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS) # Severity: HIGH (CVSS 7.5) @@ -105,7 +106,8 @@ ignore: # # Review: # - Reviewed 2026-03-19 (initial suppression): no upstream fix exists. Set 30-day review. - # - Next review: 2026-04-19. Remove suppression once buger/jsonparser ships a fix and + # - Extended 2026-04-04: no upstream fix available. buger/jsonparser issue #275 still open. + # - Next review: 2026-05-19. Remove suppression once buger/jsonparser ships a fix and # CrowdSec updates their dependency. # # Removal Criteria: @@ -130,7 +132,7 @@ ignore: Charon does not use this package directly; the vector requires reaching CrowdSec's internal JSON processing pipeline. Risk accepted; no remediation path until upstream ships a fix. Reviewed 2026-03-19: no patched release available. - expiry: "2026-04-19" # 30-day review: no fix exists. Extend in 30-day increments with documented justification. + expiry: "2026-05-19" # Extended 2026-04-04: no upstream fix. Next review 2026-05-19. # Action items when this suppression expires: # 1. Check buger/jsonparser releases: https://github.com/buger/jsonparser/releases @@ -174,7 +176,8 @@ ignore: # Review: # - Reviewed 2026-03-19 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist. # Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. - # - Next review: 2026-04-19. Remove suppression once CrowdSec ships with pgx/v5. + # - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet. + # - Next review: 2026-05-19. Remove suppression once CrowdSec ships with pgx/v5. # # Removal Criteria: # - CrowdSec releases a version with pgx/v5 (pgproto3/v3) replacing pgproto3/v2 @@ -197,7 +200,7 @@ ignore: Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment. Risk accepted; no remediation until CrowdSec ships with pgx/v5. Reviewed 2026-03-19: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet. - expiry: "2026-04-19" # 30-day review: no fix path until CrowdSec migrates to pgx/v5. + expiry: "2026-05-19" # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5. # Action items when this suppression expires: # 1. Check CrowdSec releases for pgx/v5 migration: @@ -245,7 +248,8 @@ ignore: # - Reviewed 2026-03-21 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist. # Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. Sibling GHSA-jqcq-xjh3-6g23 # was already suppressed; this alias surfaced as a separate Grype match via NVD/Red Hat tracking. - # - Next review: 2026-04-21. Remove suppression once CrowdSec ships with pgx/v5. + # - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet. + # - Next review: 2026-05-21. Remove suppression once CrowdSec ships with pgx/v5. # # Removal Criteria: # - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2 @@ -271,7 +275,7 @@ ignore: Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment. Risk accepted; no remediation until CrowdSec ships with pgx/v5. Reviewed 2026-03-21: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet. - expiry: "2026-04-21" # 30-day review: no fix path until CrowdSec migrates to pgx/v5. + expiry: "2026-05-21" # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5. # Action items when this suppression expires: # 1. Check CrowdSec releases for pgx/v5 migration: diff --git a/.trivyignore b/.trivyignore index 7b166925..e3361003 100644 --- a/.trivyignore +++ b/.trivyignore @@ -19,8 +19,8 @@ CVE-2026-22184 # Severity: MEDIUM (CVSS 5.5 NVD / 2.9 MITRE) — Package: zlib 1.3.1-r2 in Alpine base image # Fix requires zlib >= 1.3.2. No upstream fix available: Alpine 3.23 still ships zlib 1.3.1-r2. # Attack requires local access (AV:L); the vulnerable code path is not reachable via Charon's -# network-facing surface. Non-blocking by CI policy (MEDIUM). Review by: 2026-04-21 -# exp: 2026-04-21 +# network-facing surface. Non-blocking by CI policy (MEDIUM). Review by: 2026-05-21 +# exp: 2026-05-21 CVE-2026-27171 # CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade (libcrypto3/libssl3) @@ -28,45 +28,47 @@ CVE-2026-27171 # No upstream fix available: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18. # When DEFAULT is in TLS 1.3 group config, server may select a weaker key exchange group. # Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server. -# Review by: 2026-04-18 +# Review by: 2026-05-18 # See also: .grype.yaml for full justification -# exp: 2026-04-18 +# exp: 2026-05-18 CVE-2026-2673 # CVE-2026-33186 / GHSA-p77j-4mvh-x3m3: gRPC-Go authorization bypass via missing leading slash # Severity: CRITICAL (CVSS 9.1) — Package: google.golang.org/grpc, embedded in CrowdSec (v1.74.2) and Caddy (v1.79.1) # Fix exists at v1.79.3 — Charon's own dep is patched. Waiting on CrowdSec and Caddy upstream releases. # CrowdSec's and Caddy's grpc servers are not exposed externally in a standard Charon deployment. -# Review by: 2026-04-02 +# Suppressed for CrowdSec/Caddy embedded binaries only — Charon's direct deps are fixed (v1.79.3). +# Review by: 2026-05-04 # See also: .grype.yaml for full justification -# exp: 2026-04-02 +# exp: 2026-05-04 CVE-2026-33186 # GHSA-479m-364c-43vc: goxmldsig XML signature validation bypass (loop variable capture) # Severity: HIGH (CVSS 7.5) — Package: github.com/russellhaering/goxmldsig v1.5.0, embedded in /usr/bin/caddy # Fix exists at v1.6.0 — waiting on Caddy upstream (or caddy-security plugin) to release with patched goxmldsig. # Charon does not configure SAML-based SSO by default; the vulnerable path is not reachable in a standard deployment. -# Review by: 2026-04-02 +# Awaiting Caddy upstream update to include goxmldsig v1.6.0. +# Review by: 2026-05-04 # See also: .grype.yaml for full justification -# exp: 2026-04-02 +# exp: 2026-05-04 GHSA-479m-364c-43vc # GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS) # Severity: HIGH (CVSS 7.5) — Package: github.com/buger/jsonparser v1.1.1, embedded in CrowdSec binaries # No upstream fix available as of 2026-03-19 (issue #275 open, golang/vulndb #4514 open). # Charon does not use this package; the vector requires reaching CrowdSec's internal processing pipeline. -# Review by: 2026-04-19 +# Review by: 2026-05-19 # See also: .grype.yaml for full justification -# exp: 2026-04-19 +# exp: 2026-05-19 GHSA-6g7g-w4f8-9c9x # GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS) # Severity: HIGH (CVSS 7.5) — Package: github.com/jackc/pgproto3/v2 v2.3.3, embedded in CrowdSec binaries # pgproto3/v2 is archived/EOL — no fix will be released. Fix path requires CrowdSec to migrate to pgx/v5. # Charon uses SQLite; the PostgreSQL code path is not reachable in a standard deployment. -# Review by: 2026-04-19 +# Review by: 2026-05-19 # See also: .grype.yaml for full justification -# exp: 2026-04-19 +# exp: 2026-05-19 GHSA-jqcq-xjh3-6g23 # GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS) @@ -74,9 +76,9 @@ GHSA-jqcq-xjh3-6g23 # NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23. # pgproto3/v2 is archived/EOL — no fix will be released. Fix path requires CrowdSec to migrate to pgx/v5. # Charon uses SQLite; the PostgreSQL code path is not reachable in a standard deployment. -# Review by: 2026-04-21 +# Review by: 2026-05-21 # See also: .grype.yaml for full justification -# exp: 2026-04-21 +# exp: 2026-05-21 GHSA-x6gf-mpr2-68h6 # CVE-2026-34040 / GHSA-x744-4wpc-v9h2: Docker AuthZ plugin bypass via oversized request body diff --git a/SECURITY.md b/SECURITY.md index ec4df8b2..c6f81b83 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -27,7 +27,7 @@ public disclosure. ## Known Vulnerabilities -Last reviewed: 2026-03-24 +Last reviewed: 2026-04-04 ### [HIGH] CVE-2026-2673 · OpenSSL TLS 1.3 Key Exchange Group Downgrade @@ -73,6 +73,48 @@ available, update the pinned `ALPINE_IMAGE` digest in the Dockerfile, or add an --- +### [HIGH] CVE-2026-34040 · Docker AuthZ Plugin Bypass via Oversized Request Body + +| Field | Value | +|--------------|-------| +| **ID** | CVE-2026-34040 (GHSA-x744-4wpc-v9h2) | +| **Severity** | High · 8.8 | +| **Status** | Awaiting Upstream | + +**What** +Docker Engine AuthZ plugins can be bypassed when an API request body exceeds a +certain size threshold. Charon uses the Docker client SDK only; this is a +server-side vulnerability in the Docker daemon's authorization plugin handler. + +**Who** + +- Discovered by: Automated scan (govulncheck, Grype) +- Reported: 2026-04-04 +- Affects: Docker Engine daemon operators; Charon application is not directly vulnerable + +**Where** + +- Component: `github.com/docker/docker` v28.5.2+incompatible (Docker client SDK) +- Versions affected: Docker Engine < 29.3.1 + +**When** + +- Discovered: 2026-04-04 +- Disclosed (if public): Public +- Target fix: When moby/moby/v2 stabilizes or docker/docker import path is updated + +**How** +The vulnerability requires an attacker to send oversized API request bodies to the +Docker daemon. Charon uses the Docker client SDK for container management operations +only and does not expose the Docker socket externally. The attack vector is limited +to the Docker daemon host, not the Charon application. + +**Planned Remediation** +Monitor moby/moby/v2 module stabilization. The `docker/docker` import path has no +fix available. When a compatible module path exists, migrate the Docker SDK import. + +--- + ### [MEDIUM] CVE-2025-60876 · BusyBox wget HTTP Request Smuggling | Field | Value | @@ -113,13 +155,57 @@ Charon users is negligible since the vulnerable code path is not exercised. --- -### [LOW] CVE-2026-26958 · edwards25519 MultiScalarMult Invalid Results +### [MEDIUM] CVE-2026-33997 · Docker Off-by-One Plugin Privilege Validation + +| Field | Value | +|--------------|-------| +| **ID** | CVE-2026-33997 (GHSA-pxq6-2prw-chj9) | +| **Severity** | Medium · 6.8 | +| **Status** | Awaiting Upstream | + +**What** +An off-by-one error in Docker Engine's plugin privilege validation could allow +a malicious plugin to escalate privileges. Charon uses the Docker client SDK +for container management and does not install or manage Docker plugins. + +**Who** + +- Discovered by: Automated scan (govulncheck, Grype) +- Reported: 2026-04-04 +- Affects: Docker Engine plugin operators; Charon application is not directly vulnerable + +**Where** + +- Component: `github.com/docker/docker` v28.5.2+incompatible (Docker client SDK) +- Versions affected: Docker Engine < 29.3.1 + +**When** + +- Discovered: 2026-04-04 +- Disclosed (if public): Public +- Target fix: When moby/moby/v2 stabilizes or docker/docker import path is updated + +**How** +The vulnerability is in Docker Engine's plugin privilege validation at the +daemon level. Charon does not use Docker plugins — it only manages containers +via the Docker client SDK. The attack requires a malicious Docker plugin to be +installed on the host, which is outside Charon's operational scope. + +**Planned Remediation** +Same as CVE-2026-34040: monitor moby/moby/v2 module stabilization. No fix +available for the current `docker/docker` import path. + +--- + +## Patched Vulnerabilities + +### ✅ [LOW] CVE-2026-26958 · edwards25519 MultiScalarMult Invalid Results | Field | Value | |--------------|-------| | **ID** | CVE-2026-26958 (GHSA-fw7p-63qq-7hpr) | | **Severity** | Low · 1.7 | -| **Status** | Awaiting Upstream | +| **Patched** | 2026-04-04 | **What** `filippo.io/edwards25519` v1.1.0 `MultiScalarMult` produces invalid results or undefined @@ -130,8 +216,6 @@ CrowdSec to rebuild. - Discovered by: Automated scan (Grype) - Reported: 2026-03-24 -- Affects: CrowdSec Agent component within the container; not directly exposed through Charon's - primary application interface **Where** @@ -141,21 +225,19 @@ CrowdSec to rebuild. **When** - Discovered: 2026-03-24 -- Disclosed (if public): Public -- Target fix: When CrowdSec releases a build with updated dependency +- Patched: 2026-04-04 +- Time to patch: 11 days **How** This is a rarely used advanced API within the edwards25519 library. CrowdSec does not directly expose MultiScalarMult to external input. EPSS score is 0.00018 (0.04 percentile). -**Planned Remediation** -Awaiting CrowdSec upstream release with updated dependency. No action available for Charon -maintainers. +**Resolution** +Dependency no longer present in Charon's dependency tree. CrowdSec binaries no longer bundle +affected version. --- -## Patched Vulnerabilities - ### ✅ [CRITICAL] CVE-2025-68121 · Go Stdlib Critical in CrowdSec Bundled Binaries | Field | Value | diff --git a/docs/reports/qa_security_audit_2026-04-04.md b/docs/reports/qa_security_audit_2026-04-04.md new file mode 100644 index 00000000..80b0fe0a --- /dev/null +++ b/docs/reports/qa_security_audit_2026-04-04.md @@ -0,0 +1,355 @@ +# QA Security Vulnerability Audit Report + +**Date:** 2026-04-04 +**Previous Review:** 2026-03-24 +**Reviewed by:** QA Security Engineer +**Scope:** Full security scan — filesystem, dependencies, Docker image, npm, Go vulncheck + +--- + +## 1. Executive Summary + +| Severity | Docker Image | Filesystem (Grype) | npm | govulncheck | Total Unique | +|----------|-------------|-------------------|-----|-------------|--------------| +| Critical | 0 | 3 | 0 | 0 | 3 | +| High | 3 | 15+ | 0 | 2 | ~12 unique | +| Medium | 2 | 12+ | 2 | 0 | ~8 unique | +| Low | 0 | 3 | 0 | 0 | ~2 unique | + +**Key Findings:** +- **Docker Image (production):** 5 unique vulnerabilities remaining (all previously known and suppressed). No new image-level CVEs. +- **Filesystem (development tooling/stale caches):** Bulk of findings are from CrowdSec/Caddy embedded binaries, `.cache/` module cache (gopls tooling), GitHub Actions, and Python virtualenv tooling — **not from Charon application code**. +- **Charon Backend (direct deps):** All direct Go deps are at or above fix thresholds. `golang.org/x/crypto` at v0.49.0, `golang.org/x/net` at v0.52.0, `google.golang.org/grpc` at v1.79.3, `quic-go` at v0.59.0, `otel/sdk` at v1.42.0. +- **npm:** 2 moderate findings in `smol-toml` (dev dependency via `markdownlint-cli2`). +- **govulncheck:** 2 vulnerabilities from `github.com/docker/docker v28.5.2+incompatible` (no fix available for this import path). +- **No new CRITICAL vulnerabilities** affecting Charon production code since last review. + +--- + +## 2. New Vulnerabilities (Not in SECURITY.md) + +### 2.1 [HIGH] GO-2026-4887 — Docker AuthZ Plugin Bypass (Oversized Request Body) + +| Field | Value | +|-------|-------| +| **ID** | GO-2026-4887 / CVE-2026-34040 / GHSA-x744-4wpc-v9h2 | +| **Package** | `github.com/docker/docker` v28.5.2+incompatible | +| **Fixed In** | moby/moby v29.3.1 (no fix for `docker/docker` import path) | +| **Severity** | High (CVSS 8.8) | +| **Status** | NEW — **already suppressed** in `.trivyignore` and `.grype.yaml` (added 2026-03-30), but **not yet documented in SECURITY.md** | +| **EPSS** | < 0.1% (1st percentile) | +| **Source** | govulncheck (symbol-level match), Grype (Docker image) | +| **Action** | **WATCH** — Add to SECURITY.md Known Vulnerabilities. No fix available for import path. | + +**govulncheck confirmed** this is reachable via `services.DockerService.ListContainers` and `handlers.CrowdsecHandler.DiagnosticsConnectivity`. However, the vulnerability is server-side in the Docker daemon's AuthZ plugin handler — Charon only uses the Docker client SDK. + +### 2.2 [MEDIUM] GO-2026-4883 — Moby Off-by-One Plugin Privilege Validation + +| Field | Value | +|-------|-------| +| **ID** | GO-2026-4883 / CVE-2026-33997 / GHSA-pxq6-2prw-chj9 | +| **Package** | `github.com/docker/docker` v28.5.2+incompatible | +| **Fixed In** | moby/moby v29.3.1 (no fix for `docker/docker` import path) | +| **Severity** | Medium (CVSS 6.8) | +| **Status** | NEW — **already suppressed** in `.trivyignore` and `.grype.yaml` (added 2026-03-30), but **not yet documented in SECURITY.md** | +| **Source** | govulncheck (symbol-level match), Grype (Docker image) | +| **Action** | **WATCH** — Add to SECURITY.md Known Vulnerabilities. | + +### 2.3 [MODERATE] GHSA-v3rj-xjv7-4jmq — smol-toml DoS via Commented Lines + +| Field | Value | +|-------|-------| +| **ID** | GHSA-v3rj-xjv7-4jmq | +| **Package** | `smol-toml` < 1.6.1 (npm, via `markdownlint-cli2`) | +| **Fixed In** | smol-toml >= 1.6.1 | +| **Severity** | Moderate | +| **Status** | NEW | +| **Source** | npm audit | +| **Action** | **FIX NOW** — Run `npm audit fix --force` (will install markdownlint-cli2@0.21.0, breaking change). Or pin smol-toml override. | + +**Note:** This is a **dev-only dependency** (markdownlint-cli2 for linting docs). Not present in production Docker image. Low real-world risk. + +### 2.4 [HIGH] GHSA-wvj2-96wp-fq3f / GHSA-89xv-2j6f-qhc8 / GHSA-q382-vc8q-7jhj / GHSA-xw59-hvm2-8pj6 — MCP Go SDK Vulnerabilities + +| Field | Value | +|-------|-------| +| **IDs** | GHSA-wvj2-96wp-fq3f, GHSA-89xv-2j6f-qhc8, GHSA-q382-vc8q-7jhj, GHSA-xw59-hvm2-8pj6 | +| **Package** | `github.com/modelcontextprotocol/go-sdk` v0.8.0 | +| **Fixed In** | v1.3.1 / v1.4.0 / v1.4.1 | +| **Severity** | High | +| **Status** | NOT APPLICABLE — **false positive** | +| **Source** | Grype filesystem scan (found in `.cache/go/pkg/mod/` — gopls tooling, not Charon code) | +| **Action** | **IGNORE** — Not a Charon dependency. Present only in Go module cache from `gopls` IDE tooling. | + +### 2.5 [HIGH] GHSA-g754-hx8w-x2g6 / GHSA-47m2-4cr7-mhcw — quic-go Vulnerabilities + +| Field | Value | +|-------|-------| +| **ID** | GHSA-g754-hx8w-x2g6 (fixed 0.57.0), GHSA-47m2-4cr7-mhcw (fixed 0.54.1) | +| **Package** | `github.com/quic-go/quic-go` v0.54.0, v0.55.0 | +| **Current Version** | **v0.59.0** (backend go.mod) | +| **Status** | NOT APPLICABLE — **false positive** | +| **Source** | Grype filesystem scan (old versions in go.sum/cache, not in actual dependency tree) | +| **Action** | **IGNORE** — Backend uses v0.59.0, which is above all fix thresholds. | + +### 2.6 [HIGH] GHSA-9h8m-3fm2-qjrq — OpenTelemetry SDK + +| Field | Value | +|-------|-------| +| **ID** | GHSA-9h8m-3fm2-qjrq | +| **Package** | `go.opentelemetry.io/otel/sdk` v1.38.0 | +| **Current Version** | **v1.42.0** (backend go.mod) | +| **Fixed In** | v1.40.0 | +| **Status** | NOT APPLICABLE — **false positive** | +| **Source** | Grype filesystem scan (old version in go.sum/cache) | +| **Action** | **IGNORE** — Backend uses v1.42.0, above the fix threshold. | + +### 2.7 [CRITICAL] GHSA-p77j-4mvh-x3m3 — gRPC-Go Authorization Bypass + +| Field | Value | +|-------|-------| +| **ID** | GHSA-p77j-4mvh-x3m3 / CVE-2026-33186 | +| **Package** | `google.golang.org/grpc` v1.67.0 | +| **Current Version** | **v1.79.3** (backend go.mod) | +| **Fixed In** | v1.79.3 | +| **Status** | NOT APPLICABLE — **already fixed** in Charon's direct deps | +| **Source** | Grype filesystem scan (old version from CrowdSec/Caddy embedded binaries) | +| **Action** | **IGNORE** for Charon direct deps. Already suppressed in `.trivyignore` for CrowdSec/Caddy binaries. | + +### 2.8 Various Go Stdlib CVEs (CrowdSec/Caddy Embedded Binaries) + +| CVE | Severity | Fixed In | Source | +|-----|----------|----------|--------| +| CVE-2025-61726 | High | go1.25.6 | CrowdSec binaries (go1.25.4/5) | +| CVE-2026-25679 | High | go1.25.8/1.26.1 | CrowdSec binaries (go1.25.4/5/6/7) | +| CVE-2025-68121 | Critical | go1.25.7 | CrowdSec binaries (go1.25.4/5/6) — **already patched in SECURITY.md** | +| CVE-2025-61729 | High | go1.25.5 | CrowdSec binaries (go1.25.4) | +| CVE-2025-68119 | High | go1.25.6 | CrowdSec binaries (go1.25.4/5) | +| CVE-2025-61731 | High | go1.25.6 | CrowdSec binaries (go1.25.4/5) | +| CVE-2025-61732 | High | go1.25.7 | CrowdSec binaries (go1.25.4/5/6) | +| CVE-2026-27142 | Medium | go1.25.8/1.26.1 | CrowdSec binaries (go1.25.4/5/6/7) | +| CVE-2025-61728 | Medium | go1.25.6 | CrowdSec binaries (go1.25.4/5) | +| CVE-2025-61730 | Medium | go1.25.6 | CrowdSec binaries (go1.25.4/5) | +| CVE-2025-61727 | Medium | go1.25.5 | CrowdSec binaries (go1.25.4) | +| CVE-2026-27139 | Low | go1.25.8/1.26.1 | CrowdSec binaries (go1.25.4/5/6/7) | + +**Status:** These are all from CrowdSec/Caddy embedded binaries compiled with older Go versions — **not from Charon's own code** (compiled with Go 1.26.1). These are stale `go.sum` entries or binary artifacts scanned by Grype. + +**Action:** **WATCH** — Awaiting CrowdSec upstream rebuild with newer Go. Charon's own binaries are compiled with Go 1.26.1 and are unaffected. + +### 2.9 GitHub Actions Vulnerabilities + +| ID | Package | Severity | Fixed In | Action | +|----|---------|----------|----------|--------| +| GHSA-69fq-xp46-6x23 | `aquasecurity/trivy-action` 0.33.1 | Critical | 0.35.0 | **FIX NOW** | +| GHSA-9p44-j4g5-cfx5 | `aquasecurity/trivy-action` 0.33.1 | Medium | 0.34.0 | **FIX NOW** | +| GHSA-qmg3-hpqr-gqvc | `reviewdog/action-setup` v1 | High | — | **WATCH** | +| GHSA-cxww-7g56-2vh6 | `actions/download-artifact` v4 | High | 4.1.3 | **FIX NOW** | + +**Action:** Update GitHub Actions workflow files to use latest versions. + +### 2.10 Python Tooling Vulnerabilities (Development Only) + +| ID | Package | Severity | Fixed In | Action | +|----|---------|----------|----------|--------| +| GHSA-58pv-8j8x-9vj2 | `jaraco-context` 5.3.0 | High | 6.1.0 | WATCH (dev tooling) | +| GHSA-4xh5-x5gv-qwph | `pip` 24.0 | Medium | 25.3 | WATCH (dev tooling) | +| GHSA-6vgw-5pg2-w6jp | `pip` 24.0/25.3 | Low | 26.0 | WATCH (dev tooling) | +| GHSA-8rrh-rw8j-w5fx | `wheel` 0.45.1 | High | 0.46.2 | WATCH (dev tooling) | +| GHSA-qmgc-5h2g-mvrw | `filelock` 3.20.0 | Medium | 3.20.3 | WATCH (dev tooling) | +| GHSA-w853-jp5j-5j7f | `filelock` 3.20.0 | Medium | 3.20.1 | WATCH (dev tooling) | +| GHSA-597g-3phw-6986 | `virtualenv` 20.35.4 | Medium | 20.36.1 | WATCH (dev tooling) | + +**Note:** These are all from Python virtualenv/pip tooling in the development environment cache, **not from Charon production code**. + +--- + +## 3. Resolved Vulnerabilities + +### 3.1 CVE-2025-68121 — Go Stdlib Critical in CrowdSec Binaries + +**Status:** RESOLVED (patched 2026-03-24, already in SECURITY.md Patched section) + +Grype still detects older CrowdSec binary versions (go1.25.4/5/6) in the filesystem scan cache, but the **Docker image** no longer shows this CVE. The production image has CrowdSec rebuilt with Go 1.26.1. + +### 3.2 CVE-2026-26958 — edwards25519 MultiScalarMult + +**Status:** RESOLVED — `filippo.io/edwards25519` is **no longer present** in Charon's backend dependency tree (`go.mod`/`go.sum`). The original finding was from CrowdSec binaries. + +**Recommendation:** Move CVE-2026-26958 from Known to Patched in SECURITY.md. + +### 3.3 GHSA-p77j-4mvh-x3m3 / CVE-2026-33186 — gRPC-Go Authorization Bypass + +**Status:** RESOLVED for Charon direct deps — `google.golang.org/grpc` in backend is now at v1.79.3 (the fix version). The `.trivyignore` entry for this CVE (expiry 2026-04-02) was tracking CrowdSec/Caddy embedded binaries. **The suppression expiry has passed** — needs review. + +--- + +## 4. Existing Vulnerabilities Status Update + +### 4.1 CVE-2026-2673 — OpenSSL TLS 1.3 Key Exchange Group Downgrade + +| Field | Current Status | +|-------|---------------| +| **Severity** | HIGH (7.5) | +| **Package** | `libcrypto3` 3.5.5-r0, `libssl3` 3.5.5-r0 | +| **Alpine Version** | 3.23.3 (latest) | +| **Fix Available** | No — Alpine 3.23.3 still ships 3.5.5-r0 | +| **Suppression Expiry** | 2026-04-18 | +| **SECURITY.md Status** | Awaiting Upstream | +| **Change since last review** | None. Still awaiting Alpine upstream fix. | +| **Action** | **WATCH** — Extend suppression expiry to 2026-05-04 at next review. | + +### 4.2 CVE-2025-60876 — BusyBox wget HTTP Request Smuggling + +| Field | Current Status | +|-------|---------------| +| **Severity** | Medium (6.5) | +| **Package** | `busybox` 1.37.0-r30 | +| **Fix Available** | No — Alpine 3.23.3 still ships 1.37.0-r30 | +| **SECURITY.md Status** | Awaiting Upstream | +| **Change since last review** | None. Still present in Docker image scan. | +| **Action** | **WATCH** — No urgency. Charon does not use busybox wget. | + +### 4.3 CVE-2026-26958 — edwards25519 MultiScalarMult + +| Field | Current Status | +|-------|---------------| +| **Severity** | Low (1.7) | +| **Package** | `filippo.io/edwards25519` v1.1.0 | +| **Fix Available** | v1.1.1 | +| **SECURITY.md Status** | Awaiting Upstream | +| **Change since last review** | **RESOLVED** — No longer in Charon's dependency tree. Not detected in Docker image scan. | +| **Action** | **Move to Patched section in SECURITY.md.** | + +--- + +## 5. Ignore/Watch File Recommendations + +### 5.1 Expired Suppressions (Require Immediate Action) + +| ID | File | Expiry | Action | +|----|------|--------|--------| +| CVE-2026-33186 | `.trivyignore` | 2026-04-02 | **REVIEW** — Fixed in Charon direct deps (grpc v1.79.3). Check if CrowdSec binaries still need suppression. | +| GHSA-479m-364c-43vc | `.trivyignore` | 2026-04-02 | **REVIEW** — Check if Caddy has updated goxmldsig. | + +### 5.2 Suppressions Expiring Soon (Review Required) + +| ID | File | Expiry | Action | +|----|------|--------|--------| +| CVE-2026-2673 | `.trivyignore`, `.grype.yaml` | 2026-04-18 | Extend to 2026-05-18 (no upstream fix) | +| GHSA-6g7g-w4f8-9c9x | `.trivyignore`, `.grype.yaml` | 2026-04-19 | Extend to 2026-05-19 (no upstream fix) | +| GHSA-jqcq-xjh3-6g23 | `.trivyignore`, `.grype.yaml` | 2026-04-19 | Extend to 2026-05-19 (no upstream fix) | +| CVE-2026-27171 | `.trivyignore` | 2026-04-21 | Extend to 2026-05-21 (no upstream fix) | +| GHSA-x6gf-mpr2-68h6 | `.trivyignore`, `.grype.yaml` | 2026-04-21 | Extend to 2026-05-21 (no upstream fix) | + +### 5.3 New Suppressions to Add + +| ID | Recommendation | Justification | +|----|----------------|---------------| +| CVE-2026-34040 / GHSA-x744-4wpc-v9h2 | Already in `.trivyignore`/`.grype.yaml` | Docker client-only usage; server-side vuln | +| CVE-2026-33997 / GHSA-pxq6-2prw-chj9 | Already in `.trivyignore`/`.grype.yaml` | Docker client-only usage; server-side vuln | +| MCP Go SDK findings | No suppression needed | False positive (dev tooling in `.cache/`) | +| GitHub Actions findings | No suppression needed | Fix by updating workflow files | + +### 5.4 codecov.yml + +No changes recommended. Current configuration is appropriate. + +--- + +## 6. Dependency Update Recommendations + +### 6.1 Immediate (FIX NOW) + +| Package | Current | Target | CVE/GHSA | Impact | +|---------|---------|--------|----------|--------| +| `aquasecurity/trivy-action` | 0.33.1 | 0.35.0+ | GHSA-69fq-xp46-6x23 (Critical) | GitHub Actions workflow | +| `actions/download-artifact` | v4 | v4.1.3+ | GHSA-cxww-7g56-2vh6 (High) | GitHub Actions workflow | +| `smol-toml` (via markdownlint-cli2) | < 1.6.1 | >= 1.6.1 | GHSA-v3rj-xjv7-4jmq (Moderate) | Dev dependency only | + +### 6.2 Recommended (When Feasible) + +| Package | Current | Target | Reason | +|---------|---------|--------|--------| +| `reviewdog/action-setup` | v1 | Latest pinned SHA | GHSA-qmg3-hpqr-gqvc (High) | +| `github.com/docker/docker` | v28.5.2+incompatible | moby/moby/v2 (when stable) | GO-2026-4887, GO-2026-4883 | + +### 6.3 Awaiting Upstream + +| Package | Blocked By | Tracking | +|---------|-----------|----------| +| `libcrypto3`/`libssl3` 3.5.5-r0 | Alpine 3.23 patch | CVE-2026-2673 | +| `busybox` 1.37.0-r30 | Alpine 3.23 patch | CVE-2025-60876 | +| `buger/jsonparser` v1.1.1 | Upstream fix + CrowdSec rebuild | GHSA-6g7g-w4f8-9c9x | +| `jackc/pgproto3/v2` v2.3.3 | CrowdSec migration to pgx/v5 | GHSA-jqcq-xjh3-6g23 | + +--- + +## 7. Alpine Base Image Status + +| Field | Value | +|-------|-------| +| **Current** | Alpine 3.23.3 (sha256:25109184c71bdad...) | +| **Latest Available** | Alpine 3.23.3 | +| **Status** | **Up to date** — `alpine:latest` resolves to 3.23.3 | +| **Known Unpatched CVEs in Alpine 3.23.3** | CVE-2026-2673 (OpenSSL), CVE-2025-60876 (busybox), CVE-2026-27171 (zlib) | +| **Recommendation** | No Alpine upgrade available. Monitor for 3.23.4 or 3.24.0. | + +--- + +## 8. Scanner Summary + +### Trivy Filesystem Scan +- **Result:** 0 vulnerabilities found in source code and dependencies +- **Note:** Trivy only scanned language-specific files. Go modules resolved correctly with no findings. + +### Grype Filesystem Scan +- **Result:** ~75 findings (many duplicates across versions) +- **Unique Vulnerabilities:** ~25 +- **False Positives:** ~15 (stale go.sum entries, `.cache/` module cache, development tooling) +- **Actionable for Charon Production:** ~5 (all previously known and suppressed) +- **Actionable for CI/CD:** 3 (GitHub Actions version updates) + +### Grype Docker Image Scan +- **Result:** 5 unique vulnerabilities +- **All previously known** and documented in `.trivyignore`/`.grype.yaml` +- **No new production vulnerabilities** + +### npm audit +- **Result:** 2 moderate vulnerabilities in dev dependency (`smol-toml` via `markdownlint-cli2`) +- **Action:** Low priority — dev tooling only + +### govulncheck +- **Result:** 2 vulnerabilities, both in `github.com/docker/docker` v28.5.2+incompatible +- **Symbol traces confirmed:** Code paths exist but vulnerability is server-side (Docker daemon), not client-side +- **Action:** Already suppressed; awaiting upstream fix + +--- + +## 9. SECURITY.md Update Checklist + +- [ ] **Move CVE-2026-26958 (edwards25519) from Known to Patched** — no longer in dependency tree +- [ ] **Add CVE-2026-34040 / GHSA-x744-4wpc-v9h2 (Docker AuthZ bypass) to Known** — already suppressed but not documented in SECURITY.md +- [ ] **Add CVE-2026-33997 / GHSA-pxq6-2prw-chj9 (Docker plugin privilege) to Known** — already suppressed but not documented in SECURITY.md +- [ ] **Review expired suppression CVE-2026-33186** — expiry was 2026-04-02; grpc v1.79.3 fixes it for Charon direct deps. Check if CrowdSec/Caddy still need it. +- [ ] **Review expired suppression GHSA-479m-364c-43vc** — expiry was 2026-04-02 +- [ ] **Update "Last reviewed" date** to 2026-04-04 +- [ ] **Extend suppression expiry dates** for CVEs still awaiting upstream (see Section 5.2) + +--- + +## 10. Recommended Priority Actions + +### P0 — Immediate +1. Update GitHub Actions: `aquasecurity/trivy-action` to 0.35.0+, `actions/download-artifact` to v4.1.3+ +2. Review and extend/remove expired suppressions (CVE-2026-33186, GHSA-479m-364c-43vc) + +### P1 — This Sprint +3. Update SECURITY.md: move CVE-2026-26958 to Patched, add Docker CVEs to Known +4. Fix `smol-toml` npm dev dependency vulnerability +5. Extend suppression expiry dates for upcoming expirations (Section 5.2) + +### P2 — Monitor +6. Track Alpine 3.23.4/3.24.0 for OpenSSL, busybox, zlib patches +7. Track CrowdSec releases for dependency updates (jsonparser, pgproto3/v2, grpc) +8. Track `moby/moby/v2` stabilization for Docker SDK migration diff --git a/package-lock.json b/package-lock.json index 14537013..4829cf5d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -3520,9 +3520,9 @@ } }, "node_modules/smol-toml": { - "version": "1.6.0", - "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.0.tgz", - "integrity": "sha512-4zemZi0HvTnYwLfrpk/CF9LOd9Lt87kAt50GnqhMpyF9U3poDAP2+iukq2bZsO/ufegbYehBkqINbsWxj4l4cw==", + "version": "1.6.1", + "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.1.tgz", + "integrity": "sha512-dWUG8F5sIIARXih1DTaQAX4SsiTXhInKf1buxdY9DIg4ZYPZK5nGM1VRIYmEbDbsHt7USo99xSLFu5Q1IqTmsg==", "dev": true, "license": "BSD-3-Clause", "engines": { diff --git a/package.json b/package.json index 79dec8c5..9a3d7d6b 100644 --- a/package.json +++ b/package.json @@ -14,6 +14,9 @@ "tldts": "^7.0.27", "type-check": "^0.4.0" }, + "overrides": { + "smol-toml": ">=1.6.1" + }, "devDependencies": { "@types/eslint-plugin-jsx-a11y": "^6.10.1", "@bgotink/playwright-coverage": "^0.3.2",