mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-06-09 18:55:20 +00:00
14039c9089
In order to fix: ``` === Running govulncheck on containerd-shim-kata-v2 === Vulnerabilities found in containerd-shim-kata-v2: === Symbol Results === Vulnerability #1: GO-2025-4015 Excessive CPU consumption in Reader.ReadResponse in net/textproto More info: https://pkg.go.dev/vuln/GO-2025-4015 Standard library Found in: net/textproto@go1.24.6 Fixed in: net/textproto@go1.24.8 Vulnerable symbols found: #1: textproto.Reader.ReadResponse Vulnerability #2: GO-2025-4014 Unbounded allocation when parsing GNU sparse map in archive/tar More info: https://pkg.go.dev/vuln/GO-2025-4014 Standard library Found in: archive/tar@go1.24.6 Fixed in: archive/tar@go1.24.8 Vulnerable symbols found: #1: tar.Reader.Next Vulnerability #3: GO-2025-4013 Panic when validating certificates with DSA public keys in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4013 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.8 Vulnerable symbols found: #1: x509.Certificate.Verify #2: x509.Certificate.Verify Vulnerability #4: GO-2025-4012 Lack of limit when parsing cookies can cause memory exhaustion in net/http More info: https://pkg.go.dev/vuln/GO-2025-4012 Standard library Found in: net/http@go1.24.6 Fixed in: net/http@go1.24.8 Vulnerable symbols found: #1: http.Client.Do #2: http.Client.Get #3: http.Client.Head #4: http.Client.Post #5: http.Client.PostForm Use '-show traces' to see the other 9 found symbols Vulnerability #5: GO-2025-4011 Parsing DER payload can cause memory exhaustion in encoding/asn1 More info: https://pkg.go.dev/vuln/GO-2025-4011 Standard library Found in: encoding/asn1@go1.24.6 Fixed in: encoding/asn1@go1.24.8 Vulnerable symbols found: #1: asn1.Unmarshal #2: asn1.UnmarshalWithParams Vulnerability #6: GO-2025-4010 Insufficient validation of bracketed IPv6 hostnames in net/url More info: https://pkg.go.dev/vuln/GO-2025-4010 Standard library Found in: net/url@go1.24.6 Fixed in: net/url@go1.24.8 Vulnerable symbols found: #1: url.JoinPath #2: url.Parse #3: url.ParseRequestURI #4: url.URL.Parse #5: url.URL.UnmarshalBinary Vulnerability #7: GO-2025-4009 Quadratic complexity when parsing some invalid inputs in encoding/pem More info: https://pkg.go.dev/vuln/GO-2025-4009 Standard library Found in: encoding/pem@go1.24.6 Fixed in: encoding/pem@go1.24.8 Vulnerable symbols found: #1: pem.Decode Vulnerability #8: GO-2025-4008 ALPN negotiation error contains attacker controlled information in crypto/tls More info: https://pkg.go.dev/vuln/GO-2025-4008 Standard library Found in: crypto/tls@go1.24.6 Fixed in: crypto/tls@go1.24.8 Vulnerable symbols found: #1: tls.Conn.Handshake #2: tls.Conn.HandshakeContext #3: tls.Conn.Read #4: tls.Conn.Write #5: tls.Dial Use '-show traces' to see the other 4 found symbols Vulnerability #9: GO-2025-4007 Quadratic complexity when checking name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4007 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.9 Vulnerable symbols found: #1: x509.CertPool.AppendCertsFromPEM #2: x509.Certificate.CheckCRLSignature #3: x509.Certificate.CheckSignature #4: x509.Certificate.CheckSignatureFrom #5: x509.Certificate.CreateCRL Use '-show traces' to see the other 27 found symbols Vulnerability #10: GO-2025-4006 Excessive CPU consumption in ParseAddress in net/mail More info: https://pkg.go.dev/vuln/GO-2025-4006 Standard library Found in: net/mail@go1.24.6 Fixed in: net/mail@go1.24.8 Vulnerable symbols found: #1: mail.AddressParser.Parse #2: mail.AddressParser.ParseList #3: mail.Header.AddressList #4: mail.ParseAddress #5: mail.ParseAddressList ``` Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
checkmetrics
Overview
The checkmetrics tool is used to check the metrics results files in
JSON format. Results files are checked against configs stored in a TOML
file that contains baseline expectations for the results.
checkmetrics checks for a matching results file for each entry in the
TOML file with an appropriate json file extension. Failure to find a matching
file is classified as a failure for that individual TOML entry.
checkmetrics continues to process all entries in the TOML file and prints its
final results in a summary table to stdout.
checkmetrics exits with a failure code if any of the TOML entries did not
complete successfully.
JSON file format
JSON results files only need to be valid JSON, and contain some form of numeric results that can be extracted into a string or list of numeric results using the jq JSON query tool.
baseline TOML layout
The baseline TOML file is composed of one [[metric]] section per result that is processed.
Each section contains a number of parameters, some optional:
|name | type | description |
|----------------------------------------------------------------------------
|`name` | string | Filename containing results (minus .json ext.)|
|`type` | string | json (optional, json is the default) |
|`description` | string | Description of test (optional) |
|`checkvar` | string | jq query string to extract results from JSON |
|`checktype` | string | Property to check ("mean", "max" etc.) |
|`minval` | float | Minimum value the checked property should be |
|`maxval` | float | Maximum value the checked property should be |
|`midval` | float | Middle value used for percentage range check |
|`minpercent` | float | Minimum percentage from midval check boundary |
|`maxpercent` | float | Maximum percentage from midval check boundary |
Supported file types
At this time only JSON formatted results files are supported.
Supported checktypes
The following checktypes are supported. All are tested to fall within the bounds set by the minval
and maxval. That is:
minval <= Result <= maxval
|check |description |
|-----------------------------------------------------------------|
|mean |the mean of all the results extracted by the jq query |
|min |the minimum (smallest) result |
|max |the maximum (largest) result |
|sd |the standard deviation of the results |
|cov the coefficient of variation (relative standard deviation)|
Options
checkmetrics takes a number of options. Some are mandatory.
TOML base file path (mandatory)
--basefile value path to baseline TOML metrics file
Debug mode
--debug enable debug output in the log
Log file path
--log value set the log file path
Metrics results directory path (mandatory)
--metricsdir value directory containing results files
Percentage presentation mode
--percentage present results as percentage differences
Help
--help, -h show help
Version
--version, -v print the version
Output
The checkmetrics tool outputs a summary table after processing all metrics sections, and returns
a non-zero return code if any of the metrics checks fail.
Example output:
Report Summary:
+-----+----------------------+-----------+-----------+-----------+-------+-----------+-----------+------+------+-----+
| P/F | NAME | FLR | MEAN | CEIL | GAP | MIN | MAX | RNG | COV | ITS |
+-----+----------------------+-----------+-----------+-----------+-------+-----------+-----------+------+------+-----+
| F | boot-times | 0.50 | 1.36 | 0.70 | 40.0% | 1.34 | 1.38 | 2.7% | 1.3% | 2 |
| F | memory-footprint | 100000.00 | 284570.56 | 110000.00 | 10.0% | 284570.56 | 284570.56 | 0.0% | 0.0% | 1 |
| P | memory-footprint-ksm | 100000.00 | 101770.22 | 110000.00 | 10.0% | 101770.22 | 101770.22 | 0.0% | 0.0% | 1 |
+-----+----------------------+-----------+-----------+-----------+-------+-----------+-----------+------+------+-----+
Fails: 2, Passes 1
Example percentage mode output:
Report Summary:
+-----+----------------------+-------+--------+--------+-------+--------+--------+------+------+-----+
| P/F | NAME | FLR | MEAN | CEIL | GAP | MIN | MAX | RNG | COV | ITS |
+-----+----------------------+-------+--------+--------+-------+--------+--------+------+------+-----+
| *F* | boot-times | 83.3% | 226.8% | 116.7% | 33.3% | 223.8% | 229.8% | 2.7% | 1.3% | 2 |
| *F* | memory-footprint | 95.2% | 271.0% | 104.8% | 9.5% | 271.0% | 271.0% | 0.0% | 0.0% | 1 |
| P | memory-footprint-ksm | 92.7% | 99.3% | 107.3% | 14.6% | 99.3% | 99.3% | 0.0% | 0.0% | 1 |
+-----+----------------------+-------+--------+--------+-------+--------+--------+------+------+-----+
Fails: 2, Passes 1
Output Columns
|name |description |
|-----------------------------------------------------------------------|
|P/F |Pass/Fail |
|NAME |Name of the test/check |
|FLR |Floor - the minval to check against |
|MEAN |The mean of the results |
|CEIL |Ceiling - the maxval to check against |
|GAP |The range (gap) between the minval and maxval, as a % of minval|
|MIN |The minimum result in the data set |
|MAX |The maximum result in the data set |
|RNG |The % range (spread) between the min and max result, WRT min |
|COV |The coefficient of variation of the results |
|ITS |The number of results (iterations) |
Example invocation
For example, to invoke the checkmetrics tool, enter the following:
BASEFILE=`pwd`/../../metrics/baseline/baseline.toml
METRICSDIR=`pwd`/../../metrics/results
$ ./checkmetrics --basefile ${BASEFILE} --metricsdir ${METRICSDIR}