Security Vulnerabilities #1340

LittleBigGene · 2023-04-26T04:53:04Z

LittleBigGene
Apr 26, 2023

Hi Feodor,

I am a software engineer wanting to use Flet for work at an insurance company. As part of our security review process, we found some vulnerabilities in 0.5.2 pypi package. We are interested in learning more about your position around ensuring securities for corporate uses, do you happen to have any remediation plans?

flet-Build-20230425-105020.pdf

Best,
Gene

FeodorFitsner · 2023-04-26T16:36:51Z

FeodorFitsner
Apr 26, 2023
Maintainer

Hi Gene,

Thanks for your interest!

Could you please elaborate on that report? I'm seeing it's mostly covering Golang components of Flet. Also, I see there is a list of vulnerabilities for specific libraries, though I cannot navigate the links. Could you please interpret the report for me? What should be done to make Flet work for your company?

2 replies

FeodorFitsner Apr 26, 2023
Maintainer

OK, so I bumped Go dependencies to their latest versions in this branch: https://github.com/flet-dev/flet/tree/go-deps

I'm looking at CVE-2021-3121 regarding usage of github.com/gogo/protobuf v1.1.1.

While running go list -m all command I don't see that any protobuf version prior 1.3.2 is used by Flet server.

The same with golang.org/x/text - Flet uses golang.org/x/text 0.9.0 during compile time.

This SO thread explains why your report contains unused dependencies. The scanner should analyze the results of go list -m all command rather than go.sum contents.

Let me know what you think.

Full list of dependencies used by Flet:

$ go list -m all

github.com/flet-dev/flet/server
cloud.google.com/go v0.110.0
cloud.google.com/go/accessapproval v1.6.0
cloud.google.com/go/accesscontextmanager v1.7.0
cloud.google.com/go/aiplatform v1.37.0
cloud.google.com/go/analytics v0.19.0
cloud.google.com/go/apigateway v1.5.0
cloud.google.com/go/apigeeconnect v1.5.0
cloud.google.com/go/apigeeregistry v0.6.0
cloud.google.com/go/apikeys v0.6.0
cloud.google.com/go/appengine v1.7.1
cloud.google.com/go/area120 v0.7.1
cloud.google.com/go/artifactregistry v1.13.0
cloud.google.com/go/asset v1.13.0
cloud.google.com/go/assuredworkloads v1.10.0
cloud.google.com/go/automl v1.12.0
cloud.google.com/go/baremetalsolution v0.5.0
cloud.google.com/go/batch v0.7.0
cloud.google.com/go/beyondcorp v0.5.0
cloud.google.com/go/bigquery v1.50.0
cloud.google.com/go/billing v1.13.0
cloud.google.com/go/binaryauthorization v1.5.0
cloud.google.com/go/certificatemanager v1.6.0
cloud.google.com/go/channel v1.12.0
cloud.google.com/go/cloudbuild v1.9.0
cloud.google.com/go/clouddms v1.5.0
cloud.google.com/go/cloudtasks v1.10.0
cloud.google.com/go/compute v1.19.1
cloud.google.com/go/compute/metadata v0.2.3
cloud.google.com/go/contactcenterinsights v1.6.0
cloud.google.com/go/container v1.15.0
cloud.google.com/go/containeranalysis v0.9.0
cloud.google.com/go/datacatalog v1.13.0
cloud.google.com/go/dataflow v0.8.0
cloud.google.com/go/dataform v0.7.0
cloud.google.com/go/datafusion v1.6.0
cloud.google.com/go/datalabeling v0.7.0
cloud.google.com/go/dataplex v1.6.0
cloud.google.com/go/dataproc v1.12.0
cloud.google.com/go/dataqna v0.7.0
cloud.google.com/go/datastore v1.11.0
cloud.google.com/go/datastream v1.7.0
cloud.google.com/go/deploy v1.8.0
cloud.google.com/go/dialogflow v1.32.0
cloud.google.com/go/dlp v1.9.0
cloud.google.com/go/documentai v1.18.0
cloud.google.com/go/domains v0.8.0
cloud.google.com/go/edgecontainer v1.0.0
cloud.google.com/go/errorreporting v0.3.0
cloud.google.com/go/essentialcontacts v1.5.0
cloud.google.com/go/eventarc v1.11.0
cloud.google.com/go/filestore v1.6.0
cloud.google.com/go/firestore v1.9.0
cloud.google.com/go/functions v1.13.0
cloud.google.com/go/gaming v1.9.0
cloud.google.com/go/gkebackup v0.4.0
cloud.google.com/go/gkeconnect v0.7.0
cloud.google.com/go/gkehub v0.12.0
cloud.google.com/go/gkemulticloud v0.5.0
cloud.google.com/go/grafeas v0.2.0
cloud.google.com/go/gsuiteaddons v1.5.0
cloud.google.com/go/iam v1.0.0
cloud.google.com/go/iap v1.7.1
cloud.google.com/go/ids v1.3.0
cloud.google.com/go/iot v1.6.0
cloud.google.com/go/kms v1.10.1
cloud.google.com/go/language v1.9.0
cloud.google.com/go/lifesciences v0.8.0
cloud.google.com/go/logging v1.7.0
cloud.google.com/go/longrunning v0.4.1
cloud.google.com/go/managedidentities v1.5.0
cloud.google.com/go/maps v0.7.0
cloud.google.com/go/mediatranslation v0.7.0
cloud.google.com/go/memcache v1.9.0
cloud.google.com/go/metastore v1.10.0
cloud.google.com/go/monitoring v1.13.0
cloud.google.com/go/networkconnectivity v1.11.0
cloud.google.com/go/networkmanagement v1.6.0
cloud.google.com/go/networksecurity v0.8.0
cloud.google.com/go/notebooks v1.8.0
cloud.google.com/go/optimization v1.3.1
cloud.google.com/go/orchestration v1.6.0
cloud.google.com/go/orgpolicy v1.10.0
cloud.google.com/go/osconfig v1.11.0
cloud.google.com/go/oslogin v1.9.0
cloud.google.com/go/phishingprotection v0.7.0
cloud.google.com/go/policytroubleshooter v1.6.0
cloud.google.com/go/privatecatalog v0.8.0
cloud.google.com/go/pubsub v1.30.0
cloud.google.com/go/pubsublite v1.7.0
cloud.google.com/go/recaptchaenterprise v1.3.1
cloud.google.com/go/recaptchaenterprise/v2 v2.7.0
cloud.google.com/go/recommendationengine v0.7.0
cloud.google.com/go/recommender v1.9.0
cloud.google.com/go/redis v1.11.0
cloud.google.com/go/resourcemanager v1.7.0
cloud.google.com/go/resourcesettings v1.5.0
cloud.google.com/go/retail v1.12.0
cloud.google.com/go/run v0.9.0
cloud.google.com/go/scheduler v1.9.0
cloud.google.com/go/secretmanager v1.10.0
cloud.google.com/go/security v1.13.0
cloud.google.com/go/securitycenter v1.19.0
cloud.google.com/go/servicecontrol v1.11.1
cloud.google.com/go/servicedirectory v1.9.0
cloud.google.com/go/servicemanagement v1.8.0
cloud.google.com/go/serviceusage v1.6.0
cloud.google.com/go/shell v1.6.0
cloud.google.com/go/spanner v1.45.0
cloud.google.com/go/speech v1.15.0
cloud.google.com/go/storage v1.29.0
cloud.google.com/go/storagetransfer v1.8.0
cloud.google.com/go/talent v1.5.0
cloud.google.com/go/texttospeech v1.6.0
cloud.google.com/go/tpu v1.5.0
cloud.google.com/go/trace v1.9.0
cloud.google.com/go/translate v1.7.0
cloud.google.com/go/video v1.15.0
cloud.google.com/go/videointelligence v1.10.0
cloud.google.com/go/vision v1.2.0
cloud.google.com/go/vision/v2 v2.7.0
cloud.google.com/go/vmmigration v1.6.0
cloud.google.com/go/vmwareengine v0.3.0
cloud.google.com/go/vpcaccess v1.6.0
cloud.google.com/go/webrisk v1.8.0
cloud.google.com/go/websecurityscanner v1.5.0
cloud.google.com/go/workflows v1.10.0
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9
gioui.org v0.0.0-20210308172011-57750fc8a0a6
git.sr.ht/~sbinet/gg v0.3.1
github.com/BurntSushi/toml v0.3.1
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802
github.com/DataDog/datadog-go v3.2.0+incompatible
github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c
github.com/OneOfOne/xxhash v1.2.2
github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9
github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19
github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d
github.com/andybalholm/brotli v1.0.4
github.com/antihax/optional v1.0.0
github.com/apache/arrow/go/v10 v10.0.1
github.com/apache/arrow/go/v11 v11.0.0
github.com/apache/thrift v0.16.0
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e
github.com/armon/go-metrics v0.4.0
github.com/armon/go-radix v1.0.0
github.com/benbjohnson/clock v1.1.0
github.com/beorn7/perks v1.0.1
github.com/bgentry/speakeasy v0.1.0
github.com/boombuler/barcode v1.0.1
github.com/bytedance/sonic v1.8.8
github.com/census-instrumentation/opencensus-proto v0.4.1
github.com/cespare/xxhash v1.1.0
github.com/cespare/xxhash/v2 v2.2.0
github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311
github.com/chzyer/logex v1.1.10
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1
github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible
github.com/circonus-labs/circonusllhist v0.1.3
github.com/client9/misspell v0.3.4
github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe
github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b
github.com/coreos/go-semver v0.3.0
github.com/coreos/go-systemd/v22 v22.3.2
github.com/cpuguy83/go-md2man/v2 v2.0.2
github.com/creack/pty v1.1.9
github.com/davecgh/go-spew v1.1.1
github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815
github.com/dustin/go-humanize v1.0.0
github.com/envoyproxy/go-control-plane v0.10.3
github.com/envoyproxy/protoc-gen-validate v0.9.1
github.com/fatih/color v1.13.0
github.com/fogleman/gg v1.3.0
github.com/frankban/quicktest v1.14.3
github.com/fsnotify/fsnotify v1.6.0
github.com/ghodss/yaml v1.0.0
github.com/gin-contrib/sse v0.1.0
github.com/gin-gonic/contrib v0.0.0-20221130124618-7e01895a63f2
github.com/gin-gonic/gin v1.9.0
github.com/go-fonts/dejavu v0.1.0
github.com/go-fonts/latin-modern v0.2.0
github.com/go-fonts/liberation v0.2.0
github.com/go-fonts/stix v0.1.0
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4
github.com/go-kit/kit v0.9.0
github.com/go-kit/log v0.1.0
github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81
github.com/go-logfmt/logfmt v0.5.0
github.com/go-pdf/fpdf v0.6.0
github.com/go-playground/assert/v2 v2.2.0
github.com/go-playground/locales v0.14.1
github.com/go-playground/universal-translator v0.18.1
github.com/go-playground/validator/v10 v10.12.0
github.com/go-stack/stack v1.8.0
github.com/goccy/go-json v0.10.2
github.com/godbus/dbus/v5 v5.0.4
github.com/gogo/protobuf v1.3.2
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0
github.com/golang/glog v1.0.0
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
github.com/golang/mock v1.6.0
github.com/golang/protobuf v1.5.3
github.com/golang/snappy v0.0.4
github.com/gomodule/redigo v1.8.9
github.com/google/btree v1.0.0
github.com/google/flatbuffers v2.0.8+incompatible
github.com/google/go-cmp v0.5.9
github.com/google/gofuzz v1.0.0
github.com/google/martian v2.1.0+incompatible
github.com/google/martian/v3 v3.3.2
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
github.com/google/renameio v0.1.0
github.com/google/s2a-go v0.1.2
github.com/google/uuid v1.3.0
github.com/googleapis/enterprise-certificate-proxy v0.2.3
github.com/googleapis/gax-go/v2 v2.8.0
github.com/googleapis/go-type-adapters v1.0.0
github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8
github.com/gorilla/websocket v1.5.0
github.com/gosimple/slug v1.13.1
github.com/gosimple/unidecode v1.0.1
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
github.com/grpc-ecosystem/grpc-gateway v1.16.0
github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3
github.com/hashicorp/consul/api v1.18.0
github.com/hashicorp/consul/sdk v0.13.0
github.com/hashicorp/errwrap v1.0.0
github.com/hashicorp/go-cleanhttp v0.5.2
github.com/hashicorp/go-hclog v1.2.0
github.com/hashicorp/go-immutable-radix v1.3.1
github.com/hashicorp/go-msgpack v0.5.3
github.com/hashicorp/go-multierror v1.1.0
github.com/hashicorp/go-retryablehttp v0.5.3
github.com/hashicorp/go-rootcerts v1.0.2
github.com/hashicorp/go-sockaddr v1.0.2
github.com/hashicorp/go-syslog v1.0.0
github.com/hashicorp/go-uuid v1.0.2
github.com/hashicorp/go-version v1.2.1
github.com/hashicorp/golang-lru v0.5.4
github.com/hashicorp/hcl v1.0.0
github.com/hashicorp/logutils v1.0.0
github.com/hashicorp/mdns v1.0.4
github.com/hashicorp/memberlist v0.5.0
github.com/hashicorp/serf v0.10.1
github.com/iancoleman/strcase v0.2.0
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639
github.com/inconshreveable/mousetrap v1.1.0
github.com/jpillora/backoff v1.0.0
github.com/json-iterator/go v1.1.12
github.com/jstemmer/go-junit-report v0.9.1
github.com/julienschmidt/httprouter v1.3.0
github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
github.com/kisielk/errcheck v1.5.0
github.com/kisielk/gotool v1.0.0
github.com/klauspost/asmfmt v1.3.2
github.com/klauspost/compress v1.15.9
github.com/klauspost/cpuid/v2 v2.2.4
github.com/konsorten/go-windows-terminal-sequences v1.0.3
github.com/kr/fs v0.1.0
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515
github.com/kr/pretty v0.3.0
github.com/kr/pty v1.1.1
github.com/kr/text v0.2.0
github.com/leodido/go-urn v1.2.3
github.com/lyft/protoc-gen-star v0.6.1
github.com/magiconair/properties v1.8.7
github.com/mattn/go-colorable v0.1.12
github.com/mattn/go-isatty v0.0.18
github.com/mattn/go-sqlite3 v1.14.14
github.com/matttproud/golang_protobuf_extensions v1.0.1
github.com/miekg/dns v1.1.41
github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8
github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3
github.com/mitchellh/cli v1.1.0
github.com/mitchellh/go-homedir v1.1.0
github.com/mitchellh/go-wordwrap v1.0.0
github.com/mitchellh/mapstructure v1.5.0
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2 v1.0.2
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f
github.com/pascaldekloe/goe v0.1.0
github.com/pelletier/go-toml/v2 v2.0.7
github.com/phpdave11/gofpdf v1.4.2
github.com/phpdave11/gofpdi v1.0.13
github.com/pierrec/lz4/v4 v4.1.15
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e
github.com/pkg/errors v0.9.1
github.com/pkg/sftp v1.13.1
github.com/pmezard/go-difflib v1.0.0
github.com/posener/complete v1.2.3
github.com/prometheus/client_golang v1.11.1
github.com/prometheus/client_model v0.2.0
github.com/prometheus/common v0.26.0
github.com/prometheus/procfs v0.6.0
github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0
github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5
github.com/rogpeppe/fastuuid v1.2.0
github.com/rogpeppe/go-internal v1.9.0
github.com/russross/blackfriday/v2 v2.1.0
github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245
github.com/rwtodd/Go.Sed v0.0.0-20210816025313-55464686f9ef
github.com/ryanuber/columnize v2.1.0+incompatible
github.com/sagikazarmark/crypt v0.9.0
github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529
github.com/sirupsen/logrus v1.9.0
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72
github.com/spf13/afero v1.9.5
github.com/spf13/cast v1.5.0
github.com/spf13/cobra v1.7.0
github.com/spf13/jwalterweatherman v1.1.0
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.15.0
github.com/stretchr/objx v0.5.0
github.com/stretchr/testify v1.8.2
github.com/subosito/gotenv v1.4.2
github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926
github.com/twitchyliquid64/golang-asm v0.15.1
github.com/ugorji/go/codec v1.2.11
github.com/wangjia184/sortedset v0.0.0-20220209072355-af6d6d227aa7
github.com/yuin/goldmark v1.4.13
github.com/zeebo/assert v1.3.0
github.com/zeebo/xxh3 v1.0.2
go.etcd.io/etcd/api/v3 v3.5.6
go.etcd.io/etcd/client/pkg/v3 v3.5.6
go.etcd.io/etcd/client/v2 v2.305.6
go.etcd.io/etcd/client/v3 v3.5.6
go.opencensus.io v0.24.0
go.opentelemetry.io/proto/otlp v0.15.0
go.uber.org/atomic v1.9.0
go.uber.org/goleak v1.1.11
go.uber.org/multierr v1.8.0
go.uber.org/zap v1.21.0
golang.org/x/arch v0.3.0
golang.org/x/crypto v0.8.0
golang.org/x/exp v0.0.0-20220827204233-334a2380cb91
golang.org/x/image v0.0.0-20220302094943-723b81ca9867
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028
golang.org/x/mod v0.8.0
golang.org/x/net v0.9.0
golang.org/x/oauth2 v0.7.0
golang.org/x/sync v0.1.0
golang.org/x/sys v0.7.0
golang.org/x/term v0.7.0
golang.org/x/text v0.9.0
golang.org/x/time v0.3.0
golang.org/x/tools v0.6.0
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
gonum.org/v1/gonum v0.11.0
gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0
gonum.org/v1/plot v0.10.1
google.golang.org/api v0.120.0
google.golang.org/appengine v1.6.7
google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
google.golang.org/grpc v1.54.0
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0
google.golang.org/protobuf v1.30.0
gopkg.in/alecthomas/kingpin.v2 v2.2.6
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
gopkg.in/errgo.v2 v2.1.0
gopkg.in/ini.v1 v1.67.0
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
honnef.co/go/tools v0.1.3
lukechampine.com/uint128 v1.2.0
modernc.org/cc/v3 v3.36.3
modernc.org/ccgo/v3 v3.16.9
modernc.org/ccorpus v1.11.6
modernc.org/httpfs v1.0.6
modernc.org/libc v1.17.1
modernc.org/mathutil v1.5.0
modernc.org/memory v1.2.1
modernc.org/opt v0.1.3
modernc.org/sqlite v1.18.1
modernc.org/strutil v1.1.3
modernc.org/tcl v1.13.1
modernc.org/token v1.0.0
modernc.org/z v1.5.1
rsc.io/binaryregexp v0.2.0
rsc.io/pdf v0.1.1
rsc.io/quote/v3 v3.1.0
rsc.io/sampler v1.3.0
sigs.k8s.io/yaml v1.2.0

LittleBigGene Apr 27, 2023
Author

Thank you so much for your fast response!

I've forwarded your replay to the internal security team, I am waiting to hear back from them for next step. Fingers Crossed.

LittleBigGene · 2023-04-28T20:30:44Z

LittleBigGene
Apr 28, 2023
Author

"Thank you for contacting the maintainer and get it resolved. Now, we don't have any known vulnerabilities with threat level 8 or above. From a security perspective I have no objections to moving forward. The 2 sub-task approvals clears the path for the DRIVE decision to proceed to the Decider Review step."

0 replies

LittleBigGene · 2023-04-28T20:30:58Z

LittleBigGene
Apr 28, 2023
Author

Thank You!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Vulnerabilities #1340

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 3 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Security Vulnerabilities #1340

Uh oh!

Uh oh!

LittleBigGene Apr 26, 2023

Replies: 3 comments · 2 replies

Uh oh!

FeodorFitsner Apr 26, 2023 Maintainer

Uh oh!

FeodorFitsner Apr 26, 2023 Maintainer

Uh oh!

Uh oh!

LittleBigGene Apr 27, 2023 Author

Uh oh!

Uh oh!

LittleBigGene Apr 28, 2023 Author

Uh oh!

LittleBigGene Apr 28, 2023 Author

LittleBigGene
Apr 26, 2023

Replies: 3 comments 2 replies

FeodorFitsner
Apr 26, 2023
Maintainer

FeodorFitsner Apr 26, 2023
Maintainer

LittleBigGene Apr 27, 2023
Author

LittleBigGene
Apr 28, 2023
Author

LittleBigGene
Apr 28, 2023
Author