Component Governance Flags Outdated CVEs In Vcpkg: A Fix

by ADMIN 57 views

Hey guys! Ever run into a situation where your Component Governance flags a ton of outdated OpenSSL and cURL CVEs during a vcpkg install? It's a real headache, especially when it's all because of ore-1.16.0 in the azure-sdk-for-cpp. Let's dive into this issue, why it happens, and how we can tackle it.

The Bug: Too Many Alerts!

So, here's the deal. When you're doing a vcpkg install, Component Governance goes through all the buildtrees. The problem? It often flags hundreds of instances where it thinks you're using outdated versions of OpenSSL and cURL. We're talking over 300 alerts here! This can lead to a flood of critical-level alerts that can actually break your build, especially if you're using Azure Core. It's like getting a million notifications on your phone – overwhelming, right?

Diving into the Details: An Example

Let's look at a specific example. You might see an alert like this:

Description:

"statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session."

Recommendation:

"A specific remediation has not been provided for this vulnerability. For managing alerts without remediation guidance, see the Component Governance documentation. For more details on the advisory that raised this alert, see the advisory link in the Resources section below."

Usage:

Pipeline:

Location:

/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean/_/_/_/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean/_/attestation/azure-security-attestation/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean/_/storage/azure-storage-blobs/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean/_/storage/azure-storage-common/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean/_/storage/azure-storage-files-datalake/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean/_/storage/azure-storage-files-shares/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean/_/storage/azure-storage-queues/cgmanifest.json

This tells you there's a potential use-after-free vulnerability in OpenSSL 1.1.0a, and it's flagged in several cgmanifest.json files within the azure-core-cpp buildtrees. It sounds scary, but let's break it down and see how to handle it.

How to Reproduce the Issue

Want to see this in action? It's pretty straightforward. Just run Component Governance checks on a repository that's using the Azure SDK for C++. Bam! You'll likely be greeted with a flood of these alerts. It's like a surprise party, but not the fun kind.

Code Snippet Example:

Here’s a typical location where you might see these alerts:

/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean/_/storage/azure-storage-queues/cgmanifest.json

This snippet points to a specific cgmanifest.json file that's triggering the alert. These files are scattered throughout the buildtrees, which explains why you see so many alerts.

The Expected Behavior: Peace and Quiet (No Alerts!)

Ideally, when you run your builds, you don't want a barrage of critical CVE alerts. You want to be confident that you're not using OSS versions with known vulnerabilities. It's like having a security system that doesn't constantly set off false alarms – you can actually trust it.

Setup Information: What You Need to Know

To understand this issue better, here’s some key information about the setup:

  • OS: Windows (This issue was observed on Windows, but it might pop up elsewhere too.)
  • IDE: Azure Pipelines (If you're using Azure Pipelines for your CI/CD, this is definitely relevant.)
  • Version of the Library Used: 1.16.0 (This is the version of the Azure SDK for C++ where this issue was prominent.)

Knowing your environment helps in troubleshooting and finding the right solutions. It's like knowing what kind of car you drive when you take it to the mechanic.

Additional Context: The Root of the Problem

So, why is this happening? It turns out that these cgmanifest.json files, while part of the build process, might not be directly relevant to the consumers of the Azure SDK. They're more like internal files used during the build, but they're triggering alerts because Component Governance is scanning everything.

After some discussions with @antkmsft, a potential solution came up: the SDK could update the vcpkg install steps to remove those cgmanifest files that are causing the alerts. This is like decluttering your house – get rid of the unnecessary stuff that's causing problems!

The Solution: Removing Irrelevant cgmanifest Files

The key here is to prevent Component Governance from scanning files that don't actually affect the security of the final product. By removing the irrelevant cgmanifest files, we can significantly reduce the number of false positives and get a clearer picture of actual vulnerabilities.

How to Implement the Fix

  1. Identify the Irrelevant Files: The first step is to pinpoint which cgmanifest files are causing the excessive alerts but aren't crucial for the end-user security.
  2. Update vcpkg Install Steps: Modify the vcpkg installation process to exclude these files. This might involve adding some commands to your build scripts or tweaking your vcpkg configuration.
  3. Verify the Results: After implementing the fix, run your Component Governance checks again to ensure the number of alerts has decreased and that you're only seeing relevant security issues. It's like checking if the decluttering actually made a difference.

Information Checklist: Making Sure We've Got It All

To ensure we've covered everything, let's run through a quick checklist:

  • [x] Bug Description Added
  • [x] Repro Steps Added
  • [x] Setup Information Added

Yep, looks like we've got all the essential info covered! This helps ensure that anyone looking into this issue has a clear understanding of the problem and the steps to resolve it.

Wrapping Up: Taming the Alert Storm

Dealing with a flood of security alerts can be overwhelming, but by understanding the root cause and implementing targeted solutions, we can tame the storm. In this case, the key is to prevent Component Governance from flagging irrelevant files, giving us a much clearer view of actual security vulnerabilities. So, if you're facing this issue with the Azure SDK for C++ and vcpkg, give the solution of removing those extra cgmanifest files a try. It might just save your build and your sanity!

Remember, keeping our systems secure is a continuous process. By addressing issues like this, we're making our development workflows smoother and our applications more robust. Keep up the great work, guys, and let's build secure and reliable software together!