Components-Contrib sub projects. 3 issues were found. ● 1 index out of range ● 2 panics in Go standard library Table of Contents CNCF security and fuzzing audits 2 Executive summary 3 Table of Contents 4 Malicious raw key triggers out of range panic in Go standard library Fixed 3 Key with empty seed will trigger panic in Go standard library Fixed Index out of range in raft log reading OSS-Fuzz bug tracker: payload to trigger issue ADA-DAP-FUZZ-1 Malicious raw key triggers out of range panic in Go standard library OSS-Fuzz bug tracker: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58954 Mitigation: Fixed

threat actors below; For example, a fully untrusted user can also be a contributor to a 3rd-party library used by Dapr. actors for Dapr. A threat actor can assume multiple profiles from the tab Actor Description malicious PRs to a library in Component-contribs dependency tree or perform a dependency confusion attack - which is a manoeuvre where an attacker takes over a library to harm a user of the library. Another important found 7 security issues during this goal, one of which was a security vulnerability in a 3rd-party library which was assigned CVE-2023-374756. Issue 1, 2, 3, and 4 are umbrella issues of a specific class

protocols from user service code e.g. http://localhost:3500/v1.0/state/inventory Runs as local “sidecar library” dynamically loaded at runtime for each service Service-to- service invocation State management

code e.g. http://localhost:3500/v1.0/invoke/myapp/method/neworder Dapr runs as local “side-car library” dynamically loaded at runtime for each service HTTP/gRPC Application code Distributed tracing