forgejo/runner
32
98
Fork
You've already forked runner
 103
Code Issues 34 Pull requests 11 Releases 92 Packages 1 Activity Actions 6

CVE fixes and regular maintenance #552

New issue
Closed
opened 2025-05-02 10:20:34 +00:00 by pat-s · 14 comments
pat-s commented 2025-05-02 10:20:34 +00:00
Member
Copy link

Aiming to make use of the forgejo-runner in a public instance, I'd be happy to see latest release being CVE free.

Running trivy fs . on this repo, I see

go.mod (gomod)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│             Library              │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├──────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2024-40635 │ MEDIUM   │ fixed  │ v1.7.13           │ 1.7.27, 1.6.38 │ containerd: containerd has an integer overflow in User ID │
│                                  │                │          │        │                   │                │ handling                                                  │
│                                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-40635                │
├──────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/crypto              │ CVE-2025-22869 │ HIGH     │        │ v0.31.0           │ 0.35.0         │ golang.org/x/crypto/ssh: Denial of Service in the Key     │
│                                  │                │          │        │                   │                │ Exchange of golang.org/x/crypto/ssh                       │
│                                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-22869                │
├──────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net                 │ CVE-2025-22870 │ MEDIUM   │        │ v0.33.0           │ 0.36.0         │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:  │
│                                  │                │          │        │                   │                │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│                                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-22870                │
│                                  ├────────────────┤          │        │                   ├────────────────┼───────────────────────────────────────────────────────────┤
│                                  │ CVE-2025-22872 │          │        │                   │ 0.38.0         │ golang.org/x/net/html: Incorrect Neutralization of Input  │
│                                  │                │          │        │                   │                │ During Web Page Generation in x/net in...                 │
│                                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-22872

renovate already detects these as pending updates. However, it would be good to get these in and released in regular intervals.

Besides, a "vulnerability dashboard" (inspiration from Crow CI) as a pinned issue would help to see what is currently going on.

Aiming to make use of the `forgejo-runner` in a public instance, I'd be happy to see latest release being CVE free. Running `trivy fs .` on this repo, I see ``` go.mod (gomod) Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0) ┌──────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├──────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤ │ github.com/containerd/containerd │ CVE-2024-40635 │ MEDIUM │ fixed │ v1.7.13 │ 1.7.27, 1.6.38 │ containerd: containerd has an integer overflow in User ID │ │ │ │ │ │ │ │ handling │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-40635 │ ├──────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤ │ golang.org/x/crypto │ CVE-2025-22869 │ HIGH │ │ v0.31.0 │ 0.35.0 │ golang.org/x/crypto/ssh: Denial of Service in the Key │ │ │ │ │ │ │ │ Exchange of golang.org/x/crypto/ssh │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22869 │ ├──────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2025-22870 │ MEDIUM │ │ v0.33.0 │ 0.36.0 │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: │ │ │ │ │ │ │ │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22870 │ │ ├────────────────┤ │ │ ├────────────────┼───────────────────────────────────────────────────────────┤ │ │ CVE-2025-22872 │ │ │ │ 0.38.0 │ golang.org/x/net/html: Incorrect Neutralization of Input │ │ │ │ │ │ │ │ During Web Page Generation in x/net in... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22872 ``` `renovate` already detects these as pending updates. However, it would be good to get these in and released in regular intervals. Besides, a "vulnerability dashboard" ([inspiration from Crow CI](https://codeberg.org/crowci/crow/issues/20)) as a pinned issue would help to see what is currently going on.
earl-warren commented 2025-05-02 12:36:50 +00:00
Contributor
Copy link

Agreed. The renovate dashboards:

are meant to propose updates when a direct dependency has a CVE that needs fixing. In this case it looks like none of them are. Which does not mean they don't deserve upgrading 😁

@viceice do you have an opinion?

Agreed. The renovate dashboards: - https://code.forgejo.org/forgejo/act/issues/47 - https://code.forgejo.org/forgejo/runner/issues/236 are meant to propose updates when a direct dependency has a CVE that needs fixing. In this case it looks like none of them are. Which does not mean they don't deserve upgrading 😁 @viceice do you have an opinion?
viceice commented 2025-05-02 13:46:12 +00:00
Owner
Copy link

For such cases we usally activate lockfile maintenance, which would update all transitive deps to latest versions. We do it on forgejo.

For such cases we usally activate lockfile maintenance, which would update all transitive deps to latest versions. We do it on forgejo.
viceice commented 2025-05-02 13:50:08 +00:00
Owner
Copy link

Checking why this doesn't work for go

Line 7 in forgejo/renovate-config@15e2ce6
":maintainLockFilesWeekly",

Ah renovate by default doesn't propose updates to indirect deps. We can enable it.

Checking why this doesn't work for go https://code.forgejo.org/forgejo/renovate-config/src/commit/15e2ce679099ad7da2f90b589fcb7b8d1def5015/default.json#L7 Ah renovate by default doesn't propose updates to indirect deps. We can enable it.
viceice commented 2025-05-02 13:51:41 +00:00
Owner
Copy link

Line 95 in forgejo/act@af28212
golang.org/x/crypto v0.31.0 // indirect


indirect

https://code.forgejo.org/forgejo/act/src/commit/af28212d7052afec0bf70d3c84da54c3fcebb4e9/go.mod#L95 indirect
viceice commented 2025-05-02 13:52:41 +00:00
Owner
Copy link

https://docs.renovatebot.com/modules/manager/gomod/

image

https://docs.renovatebot.com/modules/manager/gomod/ ![image](/attachments/43b39d1e-5c44-46a1-bca5-2d6506c25d86)
image.png
27 KiB
👍 1
earl-warren commented 2025-05-02 16:19:15 +00:00
Contributor
Copy link

That's worth a try. There are ~60 of them, it is not overwhelming.

That's worth a try. There are ~60 of them, it is not overwhelming.
pat-s commented 2025-05-11 16:54:07 +00:00
Author
Member
Copy link

@earl-warren @viceice Is there any way I could help with reviewing/merging pending PRs?

@earl-warren @viceice Is there any way I could help with reviewing/merging pending PRs?
viceice commented 2025-05-11 17:07:29 +00:00
Owner
Copy link

sure, feel free to review open PRs

sure, feel free to review open PRs
pat-s commented 2025-05-11 17:10:40 +00:00
Author
Member
Copy link

I meant to merge/review the pending sec PRs and eventually issue new releases. (Auto-merge is disabled for these in this repo.)

I meant to merge/review the pending sec PRs and eventually issue new releases. (Auto-merge is disabled for these in this repo.)
viceice commented 2025-05-11 17:33:33 +00:00
Owner
Copy link

we need to check the renovate logs why those security fixes are not opened automatically. they are internally forced normally

we need to check the renovate logs why those security fixes are not opened automatically. they are internally forced normally
viceice commented 2025-05-12 08:30:33 +00:00
Owner
Copy link

Ok, it seems security updates can't override the disabled state. 🤔

               {
                 "currentValue": "v0.31.0",
                 "datasource": "go",
                 "depName": "golang.org/x/crypto",
                 "depType": "indirect",
                 "enabled": false,
                 "managerData": {"lineNumber": 94, "multiLine": true},
                 "packageName": "golang.org/x/crypto",
                 "skipReason": "disabled",
                 "updates": []
               },
Ok, it seems security updates can't override the disabled state. 🤔 ```json { "currentValue": "v0.31.0", "datasource": "go", "depName": "golang.org/x/crypto", "depType": "indirect", "enabled": false, "managerData": {"lineNumber": 94, "multiLine": true}, "packageName": "golang.org/x/crypto", "skipReason": "disabled", "updates": [] }, ```
viceice commented 2025-05-12 08:40:19 +00:00
Owner
Copy link

let's see if this works

forgejo/renovate-config@4bff6dc36a

https://docs.renovatebot.com/modules/manager/gomod/

let's see if this works https://code.forgejo.org/forgejo/renovate-config/commit/4bff6dc36a286755b68eb720b14db21c33267ba1 https://docs.renovatebot.com/modules/manager/gomod/
viceice commented 2025-06-30 14:23:21 +00:00
Owner
Copy link

i think this can now be closed?

i think this can now be closed?
👍 1
pat-s commented 2025-06-30 17:00:20 +00:00
Author
Member
Copy link

Thanks for releasing an update.

My hopes are rather long-term, i.e. regular merges of important deps and (optionally) regular checks for CVEs using trivy or another related CVE scanning tool. The dependency dashboard list in this repo is also quite large and I think there's still room for improvement ;) But I'll close here for now and hope this is addressed or will be in the future without bringing this up again.

Thanks for releasing an update. My hopes are rather long-term, i.e. regular merges of important deps and (optionally) regular checks for CVEs using `trivy` or another related CVE scanning tool. The dependency dashboard list in this repo is also quite large and I think there's still room for improvement ;) But I'll close here for now and hope this is addressed or will be in the future without bringing this up again.
pat-s closed this issue 2025-06-30 17:00:20 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
renovate/github.com-docker-go-connections-0.x
renovate/go-github.com-docker-cli-vulnerability
renovate/forgejo-lxc-13.x
validate-1460
chore/testing-trixie
chore/testing-bookworm
expand-reusable-workflows-working-branch
feat-default_actions_url-on-step
2023-05-22-main-before-force-push
2023-04-30-main-before-force-push
v12.11.0
v12.10.2
v12.10.1
v12.10.0
v12.9.0
v12.8.2
v12.8.1
v12.8.0
v12.7.3
v12.7.2
v12.7.1
v12.7.0
v12.6.4
v12.6.3
v12.6.2
v12.6.1
v12.6.0
v12.5.3
v12.5.2
v12.5.1
v12.5.0
v12.4.0
v12.3.1
v12.3.0
v12.2.0
v12.1.2
v12.1.1
v12.1.0
v12.0.1
v12.0.0
v11.3.1
v11.3.0
v11.2.0
v11.1.2
v11.1.1
v11.1.0
v11.0.0
v10.0.1
v10.0.0
v9.1.1
v9.1.0
v9.0.3
v9.0.2
v9.0.1
v9.0.0
v8.0.1
v8.0.0
v7.0.0
v6.4.0
v6.3.1
v6.3.0
v6.2.2
v6.2.1
v6.2.0
v6.1.0
v6.0.1
v6.0.0
v5.0.4
v5.0.3
v5.0.2
v5.0.1
v5.0.0
v4.0.1
v4.0.0
v3.5.1
v3.5.0
v3.4.1
v3.4.0
v3.3.0
v3.2.0
v3.1.0
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.5.0
v2.4.0
v2.3.0
v2.2.0
v2.1.0
v2.0.4
v2.0.3
v2.0.2
v1.5.0
v2.0.1
v2.0.0
v1.8.1
v1.8.0
v1.7.0
v1.6.0
v1.4.3
v1.4.2
v1.4.1
v1.3.1
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v0.0.1
v1.0.1
v1.0.0
Labels
Clear labels   
FreeBSD

   
Kind/Breaking
Breaking change that won't be backward compatible

  
Kind/Bug
Something is not working

  
Kind/Chore
It is no fun but it needs to be done, this is a chore.

  
Kind/DependencyUpdate
for pull requests that are created by renovate when updating a dependency

  
Kind/Documentation
Documentation changes

  
Kind/Enhancement
Improve existing functionality

  
Kind/Feature
New functionality

  
Kind/Security
This is security issue

  
Kind/Testing
Issue or pull request related to testing

  
Priority
Critical
 The priority is critical

  
Priority
High
 The priority is high

  
Priority
Low
 The priority is low

  
Priority
Medium
 The priority is medium

  
Reviewed
Confirmed
 Issue has been confirmed

  
Reviewed
Duplicate
 This issue or pull request already exists

  
Reviewed
Invalid
 Invalid issue

  
Reviewed
Won't Fix
 This issue won't be fixed

  
Status
Abandoned
 Somebody has started to work on this but abandoned work

  
Status
Blocked
 Something is blocking this issue or pull request

  
Status
Need More Info
 Feedback is required to reproduce issue or to continue work

  
Windows
Windows ports is an independent project, see https://github.com/Crown0815/Forgejo-runner-windows-builder

  
linux-powerpc64le
powerpc64le

  
linux-riscv64

   
linux-s390x

   
run-end-to-end-tests
Run https://code.forgejo.org/forgejo/end-to-end with a runner compiled from this pull request

  
run-forgejo-tests
Run https://codeberg.org/forgejo/forgejo tests importing the runner from this pull request

  
run-multi-platform-tests
Label a PR for automatic execution of test suite on arm64 architecture.

No labels
FreeBSD
Kind/Breaking
Kind/Bug
Kind/Chore
Kind/DependencyUpdate
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Windows
linux-powerpc64le
linux-riscv64
linux-s390x
run-end-to-end-tests
run-forgejo-tests
run-multi-platform-tests
Milestone
Clear milestone
No items
No milestone
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/runner#552
No description provided.