Depends on vulnerable libraries

[sgran]

Describe the bug

Fluentd in any recent version depends on http_parser > 0.5.1, < 0.7.0. This has a transitive dependency on quite old library versions with known CVEs. Scanning a fluentd container with trivy shows:

usr/lib/ruby/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock
==============================================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)

+-----------+------------------+----------+-------------------+---------------+-----------------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                  |
+-----------+------------------+----------+-------------------+---------------+-----------------------------------------+
| ffi       | CVE-2018-1000201 | HIGH     | 1.0.11            | 1.9.24        | ruby-ffi DDL loading                    |
|           |                  |          |                   |               | issue on Windows OS                     |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-1000201 |
+           +                  +          +-------------------+               +                                         +
|           |                  |          | 1.0.11-java       |               |                                         |
|           |                  |          |                   |               |                                         |
|           |                  |          |                   |               |                                         |
+-----------+------------------+          +-------------------+---------------+-----------------------------------------+
| json      | CVE-2020-10663   |          | 1.8.0             | 2.3.0         | rubygem-json: Unsafe Object             |
|           |                  |          |                   |               | Creation Vulnerability in JSON          |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-10663   |
+           +                  +          +-------------------+               +                                         +
|           |                  |          | 1.8.0-java        |               |                                         |
|           |                  |          |                   |               |                                         |
|           |                  |          |                   |               |                                         |
+-----------+------------------+          +-------------------+---------------+-----------------------------------------+
| rake      | CVE-2020-8130    |          | 0.9.2             | 12.3.3        | rake: OS Command Injection              |
|           |                  |          |                   |               | via egrep in Rake::FileList             |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-8130    |
+-----------+------------------+          +-------------------+---------------+-----------------------------------------+
| yajl-ruby | CVE-2017-16516   |          | 1.1.0             | 1.3.1         | rubygem-yajl-ruby:                      |
|           |                  |          |                   |               | Yajl::Parser.new.parse                  |
|           |                  |          |                   |               | incorrect parsing                       |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2017-16516   |
+-----------+------------------+----------+-------------------+---------------+-----------------------------------------+

[ashie]

Thanks for the report, but the lockfile (usr/lib/ruby/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock) isn't used to install & run fluentd.

For example, td-agent 4.1.1 doesn't include such old gems:

ffi (1.15.0)
json (2.5.1)
rake (13.0.3)
yajl-ruby (1.4.1)

You can confirm it also by actual released packages: https://www.fluentd.org/download

[vishiy]

@ashie - can u please explain why this was closed? I see the dependency for http_parser 0.6 in the spec , and http_parser 0.6 depends on these old gems. So all scanning tools are flagging this and the root cause is fluentd depending on http_parser 0.6 (which onws this lock file)

[ashie]

I already explained, please see above.
And please confirm that the problematic dependencies such as ffi-1.0.11, json-1.8.0, rake-0.9.2 and yajl-ruby-1.1.0 are actually installed in your system or not. Probably they aren't.

To determine dependency on installing fluentd, gem or bundler doesn't use http_parser's Gemfile.lock, it uses http_parser.gemspec instead.
http_parser-0.6.0's spec is like this:

  s.add_development_dependency 'rake-compiler', '>= 0.7.9'
  s.add_development_dependency 'rspec', '>= 2.0.1'
  s.add_development_dependency 'json', '>= 1.4.6'
  s.add_development_dependency 'benchmark_suite'
  s.add_development_dependency 'ffi'
  if RUBY_PLATFORM =~ /java/
    s.add_development_dependency 'jruby-openssl'
  else
    s.add_development_dependency 'yajl-ruby', '>= 0.8.1'
  end

As you see, it doesn't lock to problematic versions of such gems, so that latest versions will be used in usual.
In addition, they are development dependencies, not runtime dependencies.

BTW, probably there is no particular reason that fluentd locks http_parser's version.
So I'll check the latest version and update to it if it's no problem.

[ashie]

BTW, probably there is no particular reason that fluentd locks http_parser's version.
So I'll check the latest version and update to it if it's no problem.

I mistook http_parser and http-parser.
For http_parser, there is no newer version.

[vishiy]

@ashie thanks. yes, there is no newer version for http_parser. Is it safe to delete the gem lock for http_parser ?

[ashie]

Is it safe to delete the gem lock for http_parser ?

Yes.
Or the file should be excluded from scanning by your tool's setting.

[vishiy]

I can exclude this from my scan, but our customers scan and complain about this. Is it possible to consider removing it as part of fluentd install ? I see several customers flag this.

[ashie]

I'm asking to upstream to remove it:
tmm1/http_parser.rb#70

And we can remove it from td-agent and Docker images on creating them.
For other installs like gem install or bundle install, probably it's hard.

[vishiy]

thank you @ashie . once its removed from http_parser and a new version of the gem released, i guess for people installing the newer version of the gem, this file will not exist...

[ZeWaka]

@ashie Any chance of upgrading the http_parser dependency here to your 0.7.0 now than you've released it? It specifies in the gemspec to not include that version.

[ashie]

Of course we'll upgrade it.