diff --git a/.grype.yaml b/.grype.yaml index a129f2ec..cde75955 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -81,6 +81,78 @@ ignore: # 3. If no fix yet: Extend expiry by 14 days and document justification # 4. If extended 3+ times: Open upstream issue on smallstep/certificates + # CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade + # Severity: HIGH (CVSS 7.5) + # Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk) + # Status: No upstream fix available — Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18 + # + # Vulnerability Details: + # - When DEFAULT is in the TLS 1.3 group configuration, the OpenSSL server may select + # a weaker key exchange group than preferred, enabling a limited key exchange downgrade. + # - Only affects systems acting as a raw TLS 1.3 server using OpenSSL's server-side group negotiation. + # + # Root Cause (No Fix Available): + # - Alpine upstream has not published a patched libcrypto3/libssl3 for Alpine 3.23. + # - Checked: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18. + # - Fix path: once Alpine publishes a patched libcrypto3/libssl3, rebuild the Docker image + # and remove this suppression. + # + # Risk Assessment: ACCEPTED (No upstream fix; limited exposure in Charon context) + # - Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server. + # - The vulnerability requires the affected application to directly configure TLS 1.3 server + # group negotiation via OpenSSL, which Charon does not do. + # - Container-level isolation reduces the attack surface further. + # + # Mitigation (active while suppression is in effect): + # - Monitor Alpine security advisories: https://security.alpinelinux.org/vuln/CVE-2026-2673 + # - Weekly CI security rebuild (security-weekly-rebuild.yml) flags any new CVEs in the full image. + # + # Review: + # - Reviewed 2026-03-18 (initial suppression): no upstream fix available. Set 30-day review. + # - Next review: 2026-04-18. Remove suppression immediately once upstream fixes. + # + # Removal Criteria: + # - Alpine publishes a patched version of libcrypto3 and libssl3 + # - Rebuild Docker image and verify CVE-2026-2673 no longer appears in grype-results.json + # - Remove both these entries and the corresponding .trivyignore entry simultaneously + # + # References: + # - CVE-2026-2673: https://nvd.nist.gov/vuln/detail/CVE-2026-2673 + # - Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673 + - vulnerability: CVE-2026-2673 + package: + name: libcrypto3 + version: "3.5.5-r0" + type: apk + reason: | + HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libcrypto3 3.5.5-r0 (Alpine base image). + No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-03-18. Charon + terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server. + Risk accepted pending Alpine upstream patch. + expiry: "2026-04-18" # Initial 30-day review period. Extend in 14–30 day increments with documented justification. + + # Action items when this suppression expires: + # 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673 + # 2. If a patched Alpine package is now available: + # a. Rebuild Docker image without suppression + # b. Run local security-scan-docker-image and confirm CVE is resolved + # c. Remove this suppression entry, the libssl3 entry below, and the .trivyignore entry + # 3. If no fix yet: Extend expiry by 14–30 days and update the review comment above + # 4. If extended 3+ times: Open an issue to track the upstream status formally + + # CVE-2026-2673 (libssl3) — see full justification in the libcrypto3 entry above + - vulnerability: CVE-2026-2673 + package: + name: libssl3 + version: "3.5.5-r0" + type: apk + reason: | + HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libssl3 3.5.5-r0 (Alpine base image). + No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-03-18. Charon + terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server. + Risk accepted pending Alpine upstream patch. + expiry: "2026-04-18" # Initial 30-day review period. See libcrypto3 entry above for action items. + # Match exclusions (patterns to ignore during scanning) # Use sparingly - prefer specific CVE suppressions above match: diff --git a/.trivyignore b/.trivyignore index fa6966bb..20d0f5f5 100644 --- a/.trivyignore +++ b/.trivyignore @@ -14,3 +14,13 @@ CVE-2026-25793 # Charon does not use untgz or process untrusted tar archives. Review by: 2026-03-14 # See also: .grype.yaml for full justification CVE-2026-22184 + +# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade (libcrypto3/libssl3) +# Severity: HIGH (CVSS 7.5) — Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 in Alpine base image +# No upstream fix available: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18. +# When DEFAULT is in TLS 1.3 group config, server may select a weaker key exchange group. +# Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server. +# Review by: 2026-04-18 +# See also: .grype.yaml for full justification +# exp: 2026-04-18 +CVE-2026-2673 diff --git a/docs/reports/qa_security_scan_report.md b/docs/reports/qa_security_scan_report.md new file mode 100644 index 00000000..ab072f26 --- /dev/null +++ b/docs/reports/qa_security_scan_report.md @@ -0,0 +1,158 @@ +# QA Security Scan Report + +**Date**: 2026-03-18 +**Scope**: Charon project — filesystem + Docker image +**Scanners**: Trivy (filesystem), Grype (Docker image via `security-scan-docker-image` skill) +**Previous scan data reviewed**: `trivy-report.json`, `trivy-image-report.json`, `grype-results.json`, `vuln-results.json` + +--- + +## Executive Summary + +The CI supply chain run flagged **2 HIGH severity vulnerabilities**. Both are the same CVE affecting two sibling OpenSSL packages in the Alpine 3.23.3 base image. **Neither has a fixed Alpine package version available as of the scan date.** This is an upstream-blocked situation requiring monitoring, not an immediately actionable code change. + +No CRITICAL findings exist in any scan component (filesystem, Go modules, npm, or Docker image). + +--- + +## Findings + +### Finding 1 — CVE-2026-2673 [HIGH] in `libcrypto3` + +| Field | Value | +|-------|-------| +| CVE | CVE-2026-2673 | +| Severity | HIGH (CVSS 7.5) | +| Package | `libcrypto3` | +| Installed Version | `3.5.5-r0` | +| Fixed Version | **None available** | +| Fix State | Unknown / Upstream-pending | +| Component | Docker image final stage (Alpine 3.23.3 APK) | +| Scanner | Grype `security-scan-docker-image` | +| Advisory Published | 2026-03-13 | + +**Description**: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the `DEFAULT` keyword. This can result in weaker cipher negotiation than intended, potentially enabling downgrade attacks on TLS connections. + +**References**: +- https://openssl-library.org/news/secadv/20260313.txt +- https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f +- https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34 +- http://www.openwall.com/lists/oss-security/2026/03/13/3 + +--- + +### Finding 2 — CVE-2026-2673 [HIGH] in `libssl3` + +| Field | Value | +|-------|-------| +| CVE | CVE-2026-2673 | +| Severity | HIGH (CVSS 7.5) | +| Package | `libssl3` | +| Installed Version | `3.5.5-r0` | +| Fixed Version | **None available** | +| Fix State | Unknown / Upstream-pending | +| Component | Docker image final stage (Alpine 3.23.3 APK) | +| Scanner | Grype `security-scan-docker-image` | +| Advisory Published | 2026-03-13 | + +**Description**: Same CVE as Finding 1. `libssl3` and `libcrypto3` are sibling packages that constitute Alpine's OpenSSL 3.5.5 installation. Both packages must be patched together. + +--- + +## Classification + +| CVE | Package | Classification | Reason | +|-----|---------|----------------|--------| +| CVE-2026-2673 | libcrypto3@3.5.5-r0 | **Waiting on Upstream** | No fixed Alpine APK available; advisory published 5 days ago | +| CVE-2026-2673 | libssl3@3.5.5-r0 | **Waiting on Upstream** | Same CVE, same upstream blocking condition | + +--- + +## Historical Finding (Resolved) + +### CVE-2026-25793 [HIGH] in `github.com/slackhq/nebula` — **RESOLVED** + +| Field | Value | +|-------|-------| +| CVE | CVE-2026-25793 | +| Severity | HIGH | +| Package | `github.com/slackhq/nebula` | +| Vulnerable Version | v1.9.7 | +| Fixed Version | v1.10.3 | +| Component | `usr/bin/caddy` (Go binary) | +| Status | **Resolved** | + +This finding appeared in the `trivy-image-report.json` scan from 2026-02-25, when the Dockerfile used `CADDY_PATCH_SCENARIO=A`, which explicitly pinned nebula to v1.9.7. The Dockerfile was updated to `CADDY_PATCH_SCENARIO=B` (see `Dockerfile:42`), which skips the explicit nebula pin and allows upstream resolution. The finding does not appear in the current (2026-03-18) Docker image scan. + +--- + +## Scan Coverage Summary + +| Scan Target | Scanner | HIGH | CRITICAL | Notes | +|-------------|---------|------|----------|-------| +| Filesystem (Go modules, npm, config) | Trivy | 0 | 0 | Clean | +| Docker image (APK packages) | Grype | 2 | 0 | CV-2026-2673 ×2 | +| Docker image (Go binaries) | Grype | 0 | 0 | Nebula CVE resolved | +| Go backend (grype-results.json) | Grype | 0 | 0 | Clean | + +--- + +## Root Cause Analysis + +The two HIGH findings share a single root cause: Alpine Linux has not yet published a patched `openssl` package for CVE-2026-2673. The advisory was disclosed on 2026-03-13 (5 days before this scan). The upstream OpenSSL commits exist, but Alpine's package maintainers have not yet issued an `openssl-3.5.x-r1` or newer release. + +The Charon Dockerfile pins to `alpine:3.23.3@sha256:2510...` (see `Dockerfile:16`). The final runtime stage installs OpenSSL indirectly as a dependency of `ca-certificates` and other system libs. The existing `apk upgrade --no-cache zlib` on the final stage line 422 targets only zlib and would not pick up an OpenSSL fix even if one were available. + +--- + +## Recommended Actions + +### Immediate (No action possible yet) + +No code change can resolve CVE-2026-2673 today. Both packages lack a fixed version in Alpine's package repository. + +**Monitor**: +- Alpine Linux security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673 +- Alpine 3.23 changelogs for an `openssl-3.5.5-r1` or later release + +### When Alpine Releases a Patch + +One of the following approaches will resolve both findings simultaneously: + +**Option A — Update the pinned base image** (preferred for reproducibility): +```dockerfile +# In Dockerfile, update ARG ALPINE_IMAGE to the new digest when Alpine patches it +ARG ALPINE_IMAGE=alpine:3.23.4@sha256: +``` +Renovate will detect and propose this update automatically once Alpine tags a new release. + +**Option B — Add explicit runtime upgrade in the final stage**: +```dockerfile +# In Dockerfile final stage, extend the existing apk upgrade line: +RUN apk add --no-cache \ + bash ca-certificates sqlite-libs sqlite tzdata gettext libcap libcap-utils \ + c-ares busybox-extras \ + && apk upgrade --no-cache zlib libcrypto3 libssl3 +``` +This would pull the patched version on each image build without waiting for a new Alpine base image tag. The tradeoff is slightly reduced reproducibility. + +--- + +## go.mod / package.json Assessment + +- `backend/go.mod`: No occurrences of `openssl`, `nebula`, or `libssl`. Backend Go module tree is clean. +- `package.json` (root): Three production dependencies (`@typescript/analyze-trace`, `tldts`, `type-check`) — none flagged by any scanner. +- `frontend/package.json`: Not independently surfacing any HIGH/CRITICAL findings in the Trivy filesystem scan. + +--- + +## Verdict + +| Category | Status | +|----------|--------| +| CRITICAL vulnerabilities | ✅ None found | +| HIGH vulnerabilities — actionable now | ✅ None (0 fixable items) | +| HIGH vulnerabilities — upstream-blocked | ⚠️ 2 (CVE-2026-2673 in libcrypto3 + libssl3) | +| Historical HIGH (nebula) | ✅ Resolved via CADDY_PATCH_SCENARIO=B | + +**No immediate code changes are required.** Resume monitoring Alpine's security tracker for CVE-2026-2673 patch availability. Once Alpine releases the fix, update `ALPINE_IMAGE` in the Dockerfile or add the explicit `apk upgrade` line for `libcrypto3` and `libssl3`.