Update crypto library

[giotab]

Description of the issue

The golang crypto package introduced here is throwing many red alerts in our internal monitoring systems as it is quite vulnerable.
Are there any plans to upgrade it? or perhaps can you tell us how to deliver codeql without the tests folder so it doesn't ring all the bells over and over again?

Thank you in advance

[jketema]

Hi @giotab

This is not code we ship as part of our released bundles, as far as I can tell. Are you cloning the CodeQL repository to get access to the queries?

Although in this case we might be able to update the package here. For tests, this might not be possible in general, as we might be testing vulnerable behavior, or testing against APIs that are no longer present in newer versions of a package.

[giotab]

Hi @jketema ,

We are doing the following

ARG CODEQL_CLI_VERSION=2.22.4
RUN set -o xtrace -o nounset && \
    location="${GITHUB_URL}/github/codeql-action/releases/download/codeql-bundle-v${CODEQL_CLI_VERSION}/codeql-bundle-linux64.tar.gz" && \
    archive=/tmp/codeql-bundle-linux64.tar.gz && \
    curl --fail --show-error --location ${location} --output ${archive} && \
    tar xzf ${archive} --directory /opt/ && \
    ln --symbolic /opt/codeql/codeql /usr/local/bin/codeql && \
    find /opt/codeql/ -name "*.qlx" -exec chmod a+r {} \; && \
    rm ${archive}

[jketema]

Which binary and/or other file is being flagged up as vulnerable? Because this is not something we should be shipping.

[AshutoshJha786]

Name: golang.org/x/crypto, Version: 0.26.0, Path: /opt/codeql/tools/linux64/scc
    Failed policy: Custom vulnerabilities policy
    CVE-2024-45337, Severity: CRITICAL
        CVSS score: 9.1, CVSS exploitability score: 3.9
        Fixed version: 0.31.0
    CVE-2025-22869, Severity: HIGH
        CVSS score: 7.5, CVSS exploitability score: 3.9
        Fixed version: 0.35.0
    CVE-2025-47913
        CVSS score: 7.5, CVSS exploitability score: 3.9
        Fixed version: 0.43.0
        Has public exploit
    CVE-2025-47914
        CVSS score: 5.3, CVSS exploitability score: 3.9
        Fixed version: 0.45.0
    CVE-2025-58181
        CVSS score: 5.3, CVSS exploitability score: 3.9
        Fixed version: 0.45.0

Seems this:

codeql/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/go.mod

Line 48 in 7d17454

golang.org/x/crypto v0.26.0 // indirect

[jketema]

Thanks that's helpful. This is coming from a different go.mod file which does not live in the CodeQL repository. I'll have to look to see if we can get that upgraded.

[jketema]

CodeQL 2.24.2 will update the scc binary to a new version that uses the 0.43 crypto package. That does not fix all the issues, but the most critical ones should be address by that change.

[giotab]

This is awesome @jketema ! Any idea when is it expected to be released?

[owen-mc]

At the end of this week, or early next week.