akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
f0fdf9b752f3a1a3bd0831ff1d6448e2e34e3a98
Charon/docs/reports/qa_report.md
GitHub Actions 580e20d573 fix: resolve 5 HIGH-severity CVEs blocking nightly container image scan 
Patch vulnerable transitive dependencies across all three compiled
binaries in the Docker image (backend, Caddy, CrowdSec):

- go-jose/v3 and v4: JOSE/JWT validation bypass (CVE-2026-34986)
- otel/sdk: resource leak in OpenTelemetry SDK (CVE-2026-39883)
- pgproto3/v2: buffer overflow via pgx/v4 bump (CVE-2026-32286)
- AWS SDK v2: event stream injection in CrowdSec deps (GHSA-xmrv-pmrh-hhx2)
- OTel HTTP exporters: request smuggling (CVE-2026-39882)
- gRPC: bumped to v1.80.0 for transitive go-jose/v4 resolution

All Dockerfile patches include Renovate annotations for automated
future tracking. Renovate config extended to cover Go version and
GitHub Action refs in skill example workflows, preventing version
drift in non-CI files. SECURITY.md updated with pre-existing Alpine
base image CVE (no upstream fix available).

Nightly Go stdlib CVEs (1.26.1) self-heal on next development sync;
example workflow pinned to 1.26.2 for correctness.
2026-04-09 17:24:25 +00:00

448 lines
18 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# QA Audit Report — Nightly Build Vulnerability Remediation
**Date**: 2026-04-09
**Scope**: Dependency-only update — no feature or UI changes
**Image Under Test**: `charon:vuln-fix` (built 2026-04-09 14:53 UTC, 632MB)
**Branch**: Current working tree (pre-PR)
---
## Gate Results Summary
| # | Gate | Status | Details |
|---|------|--------|---------|
| 1 | E2E Playwright (Firefox 4/4 shards + Chromium spot check) | PASS | 19 passed, 20 skipped (security suite), 0 failed |
| 2 | Backend Tests + Coverage | PASS | All tests pass, 88.2% statements / 88.4% lines (gate: 87%) |
| 3 | Frontend Tests + Coverage | PASS | 791 passed, 41 skipped, 89.38% stmts / 90.13% lines (gate: 87%) |
| 4 | Local Patch Coverage Report | PASS | 0 changed lines (dependency-only), 100% patch coverage |
| 5 | Frontend Type Check (tsc --noEmit) | PASS | Zero TypeScript errors |
| 6 | Pre-commit Hooks (lefthook) | PASS | All hooks passed (shellcheck, actionlint, dockerfile-check, YAML, EOF/whitespace) |
| 7a | Trivy Filesystem Scan (CRITICAL/HIGH) | PASS | 0 vulnerabilities in source |
| 7b | govulncheck (backend) | INFO | 2 findings — both `docker/docker` v28.5.2 with no upstream fix (pre-existing, documented in SECURITY.md) |
| 7c | Docker Image Scan (Grype) | PASS | 0 CRITICAL, 2 HIGH (both unfixed Alpine OpenSSL), all target CVEs resolved |
| 8 | Linting (make lint-fast) | PASS | 0 issues |
| 9 | GORM Security Scan (--check) | PASS | 0 CRITICAL, 0 HIGH, 2 INFO suggestions |
**Overall Status: PASS**
---
## Vulnerability Remediation Verification
### Target CVEs — All Resolved
All CVEs identified in the spec (`docs/plans/current_spec.md`) were verified as absent from the `charon:vuln-fix` image:
| CVE / GHSA | Package | Was | Now | Status |
|-----------|---------|-----|-----|--------|
| CVE-2026-39883 | otel/sdk | v1.40.0 | v1.43.0 | Resolved |
| CVE-2026-34986 | go-jose/v3 | v3.0.4 | v3.0.5 | Resolved |
| CVE-2026-34986 | go-jose/v4 | v4.1.3 | v4.1.4 | Resolved |
| CVE-2026-32286 | pgproto3/v2 | v2.3.3 | Not detected | Resolved |
| GHSA-xmrv-pmrh-hhx2 | AWS SDK v2 (multiple) | various | Patched | Resolved |
| CVE-2026-39882 | OTel HTTP exporters | v1.40.0v1.42.0 | v1.43.0 | Resolved |
| CVE-2026-32281/32288/32289 | Go stdlib | 1.26.1 | 1.26.2 | Resolved (via Dockerfile ARG) |
### Remaining Vulnerabilities in Docker Image (Pre-existing, Unfixed Upstream)
| Severity | CVE | Package | Version | Status |
|----------|-----|---------|---------|--------|
| HIGH | CVE-2026-31790 | libcrypto3, libssl3 | 3.5.5-r0 | Awaiting Alpine patch |
| Medium | CVE-2025-60876 | busybox | 1.37.0-r30 | Awaiting Alpine patch |
| Medium | GHSA-6jwv-w5xf-7j27 | go.etcd.io/bbolt | v1.4.3 | CrowdSec transitive dep |
| Unknown | CVE-2026-28387/28388/28389/28390/31789 | libcrypto3, libssl3 | 3.5.5-r0 | Awaiting Alpine NVD scoring + patch |
**Note**: CVE-2026-31790 (HIGH, OpenSSL) is a **new finding** not previously documented in SECURITY.md. It affects the Alpine 3.23.3 base image and has no fix available. It is **not introduced by this PR** — it would be present in any image built on Alpine 3.23.3. Recommend adding to SECURITY.md known vulnerabilities section.
### govulncheck Findings (Backend Source — Pre-existing)
| ID | Module | Fixed In | Notes |
|----|--------|----------|-------|
| GO-2026-4887 (CVE-2026-34040) | docker/docker v28.5.2 | N/A | Already in SECURITY.md |
| GO-2026-4883 (CVE-2026-33997) | docker/docker v28.5.2 | N/A | Already in SECURITY.md |
---
## Coverage Details
### Backend (Go)
- Statement coverage: **88.2%**
- Line coverage: **88.4%**
- Gate threshold: 87% — **PASSED**
### Frontend (React/TypeScript)
- Statements: **89.38%**
- Branches: **81.86%**
- Functions: **86.71%**
- Lines: **90.13%**
- Gate threshold: 87% — **PASSED**
### Patch Coverage
- Changed source lines: **0** (dependency-only update)
- Patch coverage: **100%**
---
## E2E Test Details
Tests executed against `charon:vuln-fix` container on `http://127.0.0.1:8080`:
| Browser | Shards | Passed | Skipped | Failed |
|---------|--------|--------|---------|--------|
| Firefox | 4/4 | 11 | 20 | 0 |
| Chromium | 1/4 (spot) | 8 | 0 | 0 |
Skipped tests are from the security suite (separate project configuration). No test failures observed. The full 3-browser suite will run in CI.
---
## GORM Scanner Details
- Scanned: 43 Go files (2401 lines)
- CRITICAL: 0
- HIGH: 0
- MEDIUM: 0
- INFO: 2 (missing indexes on `UserPermittedHost` foreign keys — pre-existing, non-blocking)
---
## Recommendations
1. **Add CVE-2026-31790 to SECURITY.md** — New HIGH OpenSSL vulnerability in Alpine base image. No fix available. Monitor Alpine security advisories.
2. **Monitor docker/docker module migration** — 2 govulncheck findings with no upstream fix. Track moby/moby/v2 stabilization.
3. **Monitor bbolt GHSA-6jwv-w5xf-7j27** — Medium severity in CrowdSec transitive dependency. Track CrowdSec updates.
4. **Full CI E2E suite** — Local validation passed on Firefox + Chromium spot check. The complete 3-browser suite should run in CI pipeline.
---
## Conclusion
All audit gates **PASS**. The dependency-only changes successfully remediate all 5 HIGH and 3 MEDIUM vulnerability groups identified in the spec. No regressions detected in tests, type safety, linting, or security scans. The remaining HIGH finding (CVE-2026-31790) is a pre-existing Alpine base image issue unrelated to this PR.
**Verdict: Clear to merge.**
# QA Security Audit Report
| Field | Value |
|-------------|--------------------------------|
| **Date** | 2026-03-24 |
| **Image** | `charon:local` (Alpine 3.23.3) |
| **Go** | 1.26.1 |
| **Grype** | 0.110.0 |
| **Trivy** | 0.69.1 |
| **CodeQL** | Latest (SARIF v2.1.0) |
---
## Executive Summary
The current `charon:local` image built on 2026-03-24 shows a significantly improved
security posture compared to the CI baseline. Three previously tracked SECURITY.md
vulnerabilities are now **resolved** due to Go 1.26.1 compilation and Alpine package
updates. Two new medium/low findings emerged. No CRITICAL or HIGH active
vulnerabilities remain in the unignored scan results.
| Category | Critical | High | Medium | Low | Total |
|------------------------|----------|------|--------|-----|-------|
| **Active (unignored)** | 0 | 0 | 4 | 2 | 6 |
| **Ignored (documented)**| 0 | 4 | 0 | 0 | 4 |
| **Resolved since last audit** | 1 | 4 | 1 | 0 | 6 |
---
## Scans Executed
| # | Scan | Tool | Result |
|---|-------------------------------|-----------|----------------------|
| 1 | Trivy Filesystem | Trivy | 0 findings (no lang-specific files detected) |
| 2 | Docker Image (SBOM + Grype) | Syft/Grype| 6 active, 8 ignored |
| 3 | Trivy Image Report | Trivy | 1 HIGH (stale Feb 25 report; resolved in current build) |
| 4 | CodeQL Go | CodeQL | 1 finding (false positive — see below) |
| 5 | CodeQL JavaScript | CodeQL | 0 findings |
| 6 | GORM Security Scanner | Custom | PASSED (0 issues, 2 info) |
| 7 | Lefthook / Pre-commit | Lefthook | Configured (project uses `lefthook.yml`, not `.pre-commit-config.yaml`) |
---
## Active Findings (Unignored)
### CVE-2025-60876 — BusyBox wget HTTP Request Smuggling
| Field | Value |
|------------------|-------|
| **Severity** | Medium (CVSS 6.5) |
| **Package** | `busybox` 1.37.0-r30 (Alpine APK) |
| **Affected** | `busybox`, `busybox-binsh`, `busybox-extras`, `ssl_client` (4 matches) |
| **Fix Available** | No |
| **Classification** | AWAITING UPSTREAM |
| **EPSS** | 0.00064 (0.20 percentile) |
**Description**: BusyBox wget through 1.37 accepts raw CR/LF and other C0 control bytes
in the HTTP request-target, allowing request line splitting and header injection (CWE-284).
**Risk Assessment**: Low practical risk. Charon does not invoke `busybox wget` in its
application logic. The vulnerable `wget` applet would need to be manually invoked inside
the container with attacker-controlled URLs.
**Remediation**: Monitor Alpine 3.23 for a patched `busybox` APK. No action required
until upstream ships a fix.
---
### CVE-2026-26958 / GHSA-fw7p-63qq-7hpr — edwards25519 MultiScalarMult Invalid Results
| Field | Value |
|------------------|-------|
| **Severity** | Low (CVSS 1.7) |
| **Package** | `filippo.io/edwards25519` v1.1.0 |
| **Location** | CrowdSec binaries (`/usr/local/bin/crowdsec`, `/usr/local/bin/cscli`) |
| **Fix Available** | v1.1.1 |
| **Classification** | AWAITING UPSTREAM |
| **EPSS** | 0.00018 (0.04 percentile) |
**Description**: `MultiScalarMult` produces invalid results or undefined behavior if
the receiver is not the identity point. This is a rarely used, advanced API.
**Risk Assessment**: Minimal. CrowdSec does not directly expose edwards25519
`MultiScalarMult` to external input. The fix exists at v1.1.1 but requires CrowdSec
to rebuild with the updated dependency.
**Remediation**: Awaiting CrowdSec upstream release with updated dependency. No
action available for Charon maintainers.
---
## Ignored Findings (Documented with Justification)
These findings are suppressed in the Grype configuration with documented risk
acceptance rationale. All are in third-party binaries bundled in the container;
none are in Charon's own code.
### CVE-2026-2673 — OpenSSL TLS 1.3 Key Exchange Group Downgrade
| Field | Value |
|------------------|-------|
| **Severity** | High (CVSS 7.5) |
| **Package** | `libcrypto3` / `libssl3` 3.5.5-r0 |
| **Matches** | 2 (libcrypto3, libssl3) |
| **Classification** | ALREADY DOCUMENTED · AWAITING UPSTREAM |
Charon terminates TLS at the Caddy layer; the Go backend does not act as a raw
TLS 1.3 server. Alpine 3.23 still ships 3.5.5-r0. Risk accepted pending Alpine patch.
---
### GHSA-6g7g-w4f8-9c9x — DoS in buger/jsonparser (CrowdSec)
| Field | Value |
|------------------|-------|
| **Severity** | High (CVSS 7.5) |
| **Package** | `github.com/buger/jsonparser` v1.1.1 |
| **Matches** | 2 (crowdsec, cscli binaries) |
| **Fix Available** | v1.1.2 |
| **Classification** | ALREADY DOCUMENTED · AWAITING UPSTREAM |
Charon does not use this package directly. The vector requires reaching CrowdSec's
internal JSON processing pipeline. Risk accepted pending CrowdSec upstream fix.
---
### GHSA-jqcq-xjh3-6g23 / GHSA-x6gf-mpr2-68h6 / CVE-2026-4427 — DoS in pgproto3/v2 (CrowdSec)
| Field | Value |
|------------------|-------|
| **Severity** | High (CVSS 7.5) |
| **Package** | `github.com/jackc/pgproto3/v2` v2.3.3 |
| **Matches** | 4 (2 GHSAs × 2 binaries) |
| **Fix Available** | No (v2 is archived/EOL) |
| **Classification** | ALREADY DOCUMENTED · AWAITING UPSTREAM |
pgproto3/v2 is archived with no fix planned. CrowdSec must migrate to pgx/v5.
Charon uses SQLite, not PostgreSQL; this code path is unreachable in standard
deployment.
---
## Resolved Findings (Since Last SECURITY.md Update)
The following vulnerabilities documented in SECURITY.md are no longer detected in the
current image build. **SECURITY.md should be updated to move these to "Patched
Vulnerabilities".**
### CVE-2025-68121 — Go Stdlib Critical in CrowdSec (RESOLVED)
| Field | Value |
|------------------|-------|
| **Previous Severity** | Critical |
| **Resolution** | CrowdSec binaries now compiled with Go 1.26.1 (was Go 1.25.6) |
| **Verified** | Not detected in Grype scan of current image |
---
### CHARON-2025-001 — CrowdSec Go Stdlib CVE Cluster (RESOLVED)
| Field | Value |
|------------------|-------|
| **Previous Severity** | High |
| **Aliases** | CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729, CVE-2026-25679, CVE-2025-61732, CVE-2026-27142, CVE-2026-27139 |
| **Resolution** | CrowdSec binaries now compiled with Go 1.26.1 |
| **Verified** | None of the aliased CVEs detected in Grype scan |
---
### CVE-2026-27171 — zlib CPU Exhaustion (RESOLVED)
| Field | Value |
|------------------|-------|
| **Previous Severity** | Medium |
| **Resolution** | Alpine now ships `zlib` 1.3.2-r0 (fix threshold: 1.3.2) |
| **Verified** | Not detected in Grype scan; zlib 1.3.2-r0 confirmed in SBOM |
---
### CVE-2026-33186 — gRPC-Go Authorization Bypass (RESOLVED)
| Field | Value |
|------------------|-------|
| **Previous Severity** | Critical |
| **Packages** | `google.golang.org/grpc` v1.74.2 (CrowdSec), v1.79.1 (Caddy) |
| **Resolution** | Upstream releases now include patched gRPC (>= v1.79.3) |
| **Verified** | Not detected in Grype scan; ignore rule present but no match |
---
### GHSA-69x3-g4r3-p962 / CVE-2026-25793 — Nebula ECDSA Malleability (RESOLVED)
| Field | Value |
|------------------|-------|
| **Previous Severity** | High |
| **Package** | `github.com/slackhq/nebula` v1.9.7 in Caddy |
| **Resolution** | Caddy now ships with nebula >= v1.10.3 |
| **Verified** | Not detected in Grype scan; Trivy image report from Feb 25 had this but current build does not |
> **Note**: The stale Trivy image report (`trivy-image-report.json`, dated 2026-02-25) still
> shows CVE-2026-25793. This report predates the current build and should be regenerated.
---
### GHSA-479m-364c-43vc — goxmldsig XML Signature Bypass (RESOLVED)
| Field | Value |
|------------------|-------|
| **Previous Severity** | High |
| **Package** | `github.com/russellhaering/goxmldsig` v1.5.0 in Caddy |
| **Resolution** | Caddy now ships with goxmldsig >= v1.6.0 |
| **Verified** | Not detected in Grype scan; ignore rule present but no match |
---
## CodeQL Analysis
### go/cookie-secure-not-set — FALSE POSITIVE
| Field | Value |
|------------------|-------|
| **Severity** | Medium (CodeQL) |
| **File** | `backend/internal/api/handlers/auth_handler.go:152` |
| **Classification** | FALSE POSITIVE (stale SARIF) |
**Finding**: CodeQL reports "Cookie does not set Secure attribute to true" at line 152.
**Verification**: The `setSecureCookie` function at line 148-156 calls `c.SetCookie()`
with `secure: true` (6th positional argument). The Secure attribute IS set correctly.
This SARIF was generated from a previous code version and does not reflect the current
source. **The CodeQL SARIF files should be regenerated.**
### JavaScript / JS
No findings. Both `codeql-results-javascript.sarif` and `codeql-results-js.sarif` contain
0 results.
---
## GORM Security Scanner
| Metric | Value |
|------------|-------|
| **Result** | PASSED |
| **Files** | 43 Go files (2,396 lines) |
| **Critical** | 0 |
| **High** | 0 |
| **Medium** | 0 |
| **Info** | 2 (missing indexes on foreign keys in `UserPermittedHost`) |
The 2 informational suggestions (`UserID` and `ProxyHostID` missing `gorm:"index"` in
`backend/internal/models/user.go:130-131`) are performance recommendations, not security
issues. They do not block this audit.
---
## CI vs Local Scan Discrepancy
The CI reported **3 Critical, 5 High, 1 Medium**. The local scan on the freshly built
image reports **0 Critical, 0 High, 4 Medium, 2 Low** (active) plus **4 High** (ignored).
**Root causes for the discrepancy:**
1. **Resolved vulnerabilities**: 3 Critical and 4 High findings were resolved by Go 1.26.1
compilation and upstream Caddy/CrowdSec dependency updates since the CI image was built.
2. **Grype ignore rules**: The local scan applies documented risk acceptance rules that
suppress 4 High findings in third-party binaries. CI (Trivy) does not use these rules.
3. **Stale CI artifacts**: The `trivy-image-report.json` dates from 2026-02-25 and does
not reflect the current image state. The `codeql-results-go.sarif` references code that
has since been fixed.
---
## Recommended Actions
### Immediate (This Sprint)
1. **Update SECURITY.md**: Move CVE-2025-68121, CHARON-2025-001, and CVE-2026-27171 to
a "Patched Vulnerabilities" section. Add CVE-2025-60876 and CVE-2026-26958 as new
known vulnerabilities.
2. **Regenerate stale scan artifacts**: Re-run Trivy image scan and CodeQL analysis to
produce current SARIF/JSON files. The existing files predate fixes and produce
misleading CI results.
3. **Clean up Grype ignore rules**: Remove ignore entries for vulnerabilities that are
no longer detected (CVE-2026-33186, GHSA-69x3-g4r3-p962, GHSA-479m-364c-43vc).
Stale ignore rules obscure the actual security posture.
### Next Release
4. **Monitor Alpine APK updates**: Watch for patched `busybox` (CVE-2025-60876) and
`openssl` (CVE-2026-2673) packages in Alpine 3.23.
5. **Monitor CrowdSec releases**: Watch for CrowdSec builds with updated
`filippo.io/edwards25519` >= v1.1.1, `buger/jsonparser` >= v1.1.2, and
`pgx/v5` migration (replacing pgproto3/v2).
6. **Monitor Go 1.26.2-alpine**: When available, bump `GO_VERSION` to pick up any
remaining stdlib patches.
### Informational (Non-Blocking)
7. **GORM indexes**: Consider adding `gorm:"index"` to `UserID` and `ProxyHostID` in
`UserPermittedHost` for query performance.
---
## Gotify Token Review
Verified: No Gotify application tokens appear in scan output, log artifacts, test results,
API examples, or URL query parameters. All diagnostic output is clean.
---
## Conclusion
The Charon container image security posture has materially improved. Six previously known
vulnerabilities are now resolved through Go toolchain and dependency updates. The remaining
active findings are medium/low severity, reside in Alpine base packages and CrowdSec
third-party binaries, and have no available fixes. No vulnerabilities exist in Charon's
own application code. GORM and CodeQL scans confirm the backend code is clean.
Reference in New Issue View Git Blame Copy Permalink