基础信息
项目名称:banzaicloud/pipeline
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1720853264304766976/1720853264384458752
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Kubernetes 输入验证错误漏洞 | 访问控制不当 | MPS-2019-15838 | CVE-2019-11255 | 中危 |
| Gin-Gonic Gin 环境问题漏洞 | HTTP请求走私 | MPS-2021-5932 | CVE-2020-28483 | 高危 |
| k8s.io/kubernetes 存在代码注入漏洞 | 代码注入 | MPS-2022-13512 | 高危 | |
| Helm 资源管理错误漏洞 | 不加限制或调节的资源分配 | MPS-2022-1951 | CVE-2022-23524 | 高危 |
| Helm 代码问题漏洞 | 空指针取消引用 | MPS-2022-1952 | CVE-2022-23525 | 高危 |
| Helm 代码问题漏洞 | 空指针取消引用 | MPS-2022-1953 | CVE-2022-23526 | 高危 |
| Google Golang 资源管理错误漏洞 | MPS-2022-58307 | CVE-2022-41723 | 高危 | |
| Helm 信息泄露漏洞 | 未授权敏感信息泄露 | MPS-2023-3781 | CVE-2023-25165 | 中危 |
| Gin-Gonic Gin 输入验证错误漏洞 | 输入验证不恰当 | MPS-2023-5119 | CVE-2023-26125 | 高危 |
| Gin 安全漏洞 | 下载代码缺少完整性检查 | MPS-2023-9711 | CVE-2023-29401 | 中危 |
| Google Golang 资源管理错误漏洞 | 拒绝服务 | MPS-c8am-hbny | CVE-2023-39325 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| k8s.io/kubernetes | v1.21.9 | 直接依赖 | 建议修复 | |
| golang.org/x/net | v0.0.0-20211209124913-491a49abca63 | 0.17.0 | 直接依赖 | 建议修复 |
| github.com/gin-gonic/gin | v1.6.2 | 1.9.1 | 直接依赖 | 建议修复 |
| helm.sh/helm/v3 | v3.6.1 | 3.11.1 | 直接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 50 | 低 |
| Apache-2.0 | 51 | 低 |
| BSD-3-Clause | 15 | 低 |
| BSD-2-Clause | 4 | 低 |
| MPL-2.0 | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| github.com/uber/tchannel-go | v1.18.0 | 间接依赖 | go |
| github.com/Azure/go-autorest/autorest/validation | v0.3.0 | 直接依赖 | go |
| gopkg.in/resty.v1 | v1.12.0 | 直接依赖 | go |
| github.com/spf13/cobra | v1.1.3 | 直接依赖 | go |
| github.com/spf13/pflag | v1.0.5 | 直接依赖 | go |
| github.com/Azure/azure-pipeline-go | v0.2.3 | 直接依赖 | go |
| github.com/sagikazarmark/appkit | v0.8.0 | 直接依赖 | go |
| github.com/denisenkom/go-mssqldb | v0.0.0-20200206145737-bbfc9a55622e | 间接依赖 | go |
| github.com/Azure/go-autorest/autorest | v0.11.12 | 直接依赖 | go |
| emperror.dev/handler/logur | v0.4.0 | 直接依赖 | go |
| github.com/microcosm-cc/bluemonday | v1.0.17 | 直接依赖 | go |
| github.com/sirupsen/logrus | v1.8.1 | 直接依赖 | go |
| github.com/Azure/azure-storage-blob-go | v0.10.0 | 直接依赖 | go |
| logur.dev/integration/watermill | v0.4.2 | 直接依赖 | go |
| github.com/gofrs/uuid | v3.2.0+incompatible | 直接依赖 | go |
| github.com/Azure/go-autorest/autorest/to | v0.4.0 | 直接依赖 | go |
| github.com/aokoli/goutils | v1.1.0 | 直接依赖 | go |
| github.com/banzaicloud/gin-utilz | v0.3.1 | 直接依赖 | go |
| github.com/aws/aws-sdk-go | v1.34.4 | 直接依赖 | go |
| github.com/lestrrat-go/backoff | v1.0.0 | 直接依赖 | go |
| emperror.dev/errors | v0.7.0 | 直接依赖 | go |
| go.uber.org/cadence | v0.19.0 | 直接依赖 | go |
| github.com/banzaicloud/cadence-aws-sdk | v0.6.0 | 直接依赖 | go |
| github.com/banzaicloud/bank-vaults/pkg/sdk | v0.6.0 | 直接依赖 | go |
| k8s.io/client-go | v0.21.9 | 直接依赖 | go |
| github.com/jinzhu/inflection | v1.0.0 | 间接依赖 | go |
| sigs.k8s.io/controller-runtime | v0.9.5 | 直接依赖 | go |
| google.golang.org/grpc | v1.38.0 | 直接依赖 | go |
| github.com/mitchellh/copystructure | v1.1.1 | 直接依赖 | go |
| google.golang.org/api | v0.44.0 | 直接依赖 | go |
| github.com/mattn/go-sqlite3 | v2.0.3+incompatible | 间接依赖 | go |
| github.com/prometheus/client_golang | v1.11.0 | 直接依赖 | go |
| k8s.io/kubectl | v0.21.9 | 直接依赖 | go |
| github.com/spf13/cast | v1.3.1 | 直接依赖 | go |
| github.com/gin-contrib/cors | v1.3.0 | 直接依赖 | go |
| github.com/erikstmartin/go-testdb | v0.0.0-20160219214506-8d10e4a1bae5 | 间接依赖 | go |
| cloud.google.com/go | v0.81.0 | 直接依赖 | go |
| github.com/pkg/errors | v0.9.1 | 直接依赖 | go |
| github.com/dexidp/dex/api/v2 | v2.0.0 | 直接依赖 | go |
| github.com/json-iterator/go | v1.1.11 | 直接依赖 | go |
| github.com/asaskevich/EventBus | v0.0.0-20180315140547-d46933a94f05 | 直接依赖 | go |
| github.com/ghodss/yaml | v1.0.0 | 直接依赖 | go |
| github.com/sagikazarmark/ocmux | v0.2.0 | 直接依赖 | go |
| google.golang.org/genproto | v0.0.0-20200526211855-cb27e3aa2013 | 间接依赖 | go |
| github.com/banzaicloud/integrated-service-sdk | v0.6.0 | 直接依赖 | go |
| github.com/jinzhu/now | v1.1.1 | 直接依赖 | go |
| k8s.io/cli-runtime | v0.21.9 | 直接依赖 | go |
| go.uber.org/zap | v1.14.1 | 间接依赖 | go |
| github.com/jonboulle/clockwork | v0.2.0 | 直接依赖 | go |
| github.com/Masterminds/semver/v3 | v3.1.1 | 直接依赖 | go |
| github.com/Azure/go-autorest/autorest/adal | v0.9.5 | 直接依赖 | go |
| k8s.io/apimachinery | v0.21.9 | 直接依赖 | go |
| github.com/pelletier/go-toml | v1.9.3 | 直接依赖 | go |
| golang.org/x/oauth2 | v0.0.0-20210402161424-2e8d93401602 | 直接依赖 | go |
| github.com/spf13/viper | v1.8.0 | 直接依赖 | go |
| logur.dev/logur | v0.17.0 | 直接依赖 | go |
| github.com/Azure/go-autorest/autorest/azure/auth | v0.5.0 | 直接依赖 | go |
| logur.dev/adapter/zap | v0.4.1 | 直接依赖 | go |
| k8s.io/klog | v1.0.0 | 直接依赖 | go |
| logur.dev/adapter/logrus | v0.4.1 | 直接依赖 | go |
| github.com/patrickmn/go-cache | v2.1.0+incompatible | 直接依赖 | go |
| helm.sh/helm/v3 | v3.6.1 | 直接依赖 | go |
| github.com/golang/protobuf | v1.5.2 | 直接依赖 | go |
| github.com/aws/aws-sdk-go | v1.37.1 | 直接依赖 | go |
| gopkg.in/square/go-jose.v2 | v2.5.1 | 直接依赖 | go |
| github.com/gin-gonic/gin | v1.6.2 | 直接依赖 | go |
| golang.org/x/net | v0.0.0-20211209124913-491a49abca63 | 直接依赖 | go |
| github.com/jinzhu/copier | v0.0.0-20201025035756-632e723a6687 | 直接依赖 | go |
| github.com/oklog/run | v1.1.0 | 直接依赖 | go |
| github.com/banzaicloud/anchore-image-validator | v0.0.0-20190823121528-918b9fa6af62 | 直接依赖 | go |
| github.com/gofrs/flock | v0.8.0 | 直接依赖 | go |
| github.com/mitchellh/mapstructure | v1.1.2 | 直接依赖 | go |
| github.com/Azure/azure-sdk-for-go | v44.2.0+incompatible | 直接依赖 | go |
| github.com/go-kit/kit | v0.10.0 | 直接依赖 | go |
| github.com/technosophos/moniker | v0.0.0-20180509230615-a5dbd03a2245 | 直接依赖 | go |
| github.com/banzaicloud/logging-operator/pkg/sdk | v0.7.18 | 直接依赖 | go |
| k8s.io/api | v0.21.9 | 直接依赖 | go |
| github.com/sagikazarmark/kitx | v0.12.0 | 直接依赖 | go |
| github.com/moogar0880/problems | v0.1.1 | 直接依赖 | go |
| github.com/MakeNowJust/heredoc | v1.0.0 | 直接依赖 | go |
| github.com/gorilla/mux | v1.8.0 | 直接依赖 | go |
| sigs.k8s.io/yaml | v1.2.0 | 直接依赖 | go |
| logur.dev/integration/zap | v0.3.2 | 直接依赖 | go |
| k8s.io/kubernetes | v1.21.9 | 直接依赖 | go |
| github.com/hashicorp/vault/api | v1.0.4 | 直接依赖 | go |
| github.com/vmware/govmomi | v0.22.0 | 直接依赖 | go |
| sigs.k8s.io/testing_frameworks | v0.1.2 | 直接依赖 | go |
| github.com/banzaicloud/pipeline/pkg/sdk | v0.0.1 | 直接依赖 | go |
| google.golang.org/genproto | v0.0.0-20210602131652-f16073e35f0c | 直接依赖 | go |
| emperror.dev/emperror | v0.32.0 | 直接依赖 | go |
| github.com/stretchr/testify | v1.6.1 | 直接依赖 | go |
| cloud.google.com/go/storage | v1.10.0 | 直接依赖 | go |
| github.com/banzaicloud/logrus-runtime-formatter | v0.0.0-20180617171254-12df4a18567f | 直接依赖 | go |
| github.com/mitchellh/mapstructure | v1.4.1 | 直接依赖 | go |
| github.com/vmware-tanzu/velero | v1.5.1 | 直接依赖 | go |
| github.com/prometheus/client_model | v0.2.0 | 直接依赖 | go |
| github.com/coreos/go-oidc | v2.1.0+incompatible | 直接依赖 | go |
| logur.dev/integration/logr | v0.4.0 | 直接依赖 | go |
| github.com/jinzhu/gorm | v1.9.16 | 直接依赖 | go |
| github.com/banzaicloud/go-gin-prometheus | v0.1.0 | 直接依赖 | go |
| go.opencensus.io | v0.23.0 | 直接依赖 | go |
| github.com/banzaicloud/operator-tools | v0.25.4 | 直接依赖 | go |
| github.com/prometheus/prom2json | v1.3.0 | 直接依赖 | go |
| go.uber.org/yarpc | v1.55.0 | 直接依赖 | go |
| k8s.io/apiextensions-apiserver | v0.21.3 | 直接依赖 | go |
| github.com/apache/thrift | v0.13.0 | 间接依赖 | go |
| k8s.io/klog/v2 | v2.9.0 | 直接依赖 | go |
| github.com/stretchr/testify | v1.7.0 | 直接依赖 | go |
| golang.org/x/crypto | v0.0.0-20210220033148-5ea612d1eb83 | 直接依赖 | go |
| emperror.dev/errors | v0.8.0 | 直接依赖 | go |
| gopkg.in/yaml.v2 | v2.4.0 | 直接依赖 | go |
| github.com/gorilla/sessions | v1.2.1 | 直接依赖 | go |
| github.com/ThreeDotsLabs/watermill | v1.1.0 | 直接依赖 | go |
| k8s.io/cluster-bootstrap | v0.21.9 | 直接依赖 | go |
| go.uber.org/zap | v1.18.1 | 直接依赖 | go |