Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Fix gRPC and HTTP2 high vulnerabilities #11986

Merged
merged 1 commit into from
Oct 12, 2023

Conversation

terrytangyuan
Copy link
Member

@terrytangyuan terrytangyuan commented Oct 12, 2023

This fixes the following issues detected by Snyk (breaks main branch):


✗ High severity vulnerability found in google.golang.org/grpc
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328
  Introduced through: google.golang.org/grpc@1.57.0, cloud.google.com/go/storage@1.33.0, github.com/grpc-ecosystem/go-grpc-prometheus@1.2.0, google.golang.org/api/option@0.143.0, github.com/grpc-ecosystem/go-grpc-middleware@1.3.0, github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus@1.3.0
  From: google.golang.org/grpc@1.57.0
  From: cloud.google.com/go/storage@1.33.0 > google.golang.org/grpc@1.57.0
  From: github.com/grpc-ecosystem/go-grpc-prometheus@1.2.0 > google.golang.org/grpc@1.57.0
  and 30 more...
  Fixed in: 1.56.3, 1.57.1, 1.58.3

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327
  Introduced through: k8s.io/client-go/rest@0.24.3, github.com/soheilhy/cmux@0.1.5, cloud.google.com/go/storage@1.33.0, github.com/argoproj/argo-events/pkg/client/eventsource/clientset/versioned@1.7.3, github.com/argoproj/argo-events/pkg/client/sensor/clientset/versioned@1.7.3, github.com/google/go-containerregistry/pkg/authn/k8schain@#31786c6cbb82, k8s.io/client-go/dynamic@0.24.3, k8s.io/client-go/testing@0.24.3, k8s.io/client-go/tools/leaderelection/resourcelock@0.24.3, k8s.io/client-go/discovery@0.24.3, k8s.io/client-go/tools/cache@0.24.3, k8s.io/client-go/tools/record@0.24.3, google.golang.org/grpc@1.57.0, k8s.io/apimachinery/pkg/watch@0.24.3, k8s.io/client-go/transport@0.24.3, k8s.io/client-go/tools/clientcmd@0.24.3, k8s.io/client-go/discovery/fake@0.24.3, k8s.io/client-go/informers/internalinterfaces@0.24.3, k8s.io/client-go/informers/core/v1@0.24.3, k8s.io/client-go/dynamic/dynamicinformer@0.24.3, k8s.io/client-go/listers/core/v1@0.24.3, k8s.io/client-go/tools/watch@0.24.3, k8s.io/client-go/plugin/pkg/client/auth@0.24.3, k8s.io/client-go/tools/leaderelection@0.24.3, k8s.io/client-go/tools/remotecommand@0.24.3, github.com/grpc-ecosystem/go-grpc-prometheus@1.2.0, github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus@1.3.0, google.golang.org/api/option@0.143.0, github.com/grpc-ecosystem/go-grpc-middleware@1.3.0, k8s.io/apimachinery/pkg/apis/meta/v1@0.24.3, github.com/argoproj/pkg/kube/cli@#235a5432ec98, k8s.io/cli-runtime/pkg/genericclioptions@0.24.3, github.com/argoproj/argo-events/pkg/apis/eventsource/v1alpha1@1.7.3, github.com/argoproj/argo-events/pkg/apis/sensor/v1alpha1@1.7.3, k8s.io/api/authorization/v1@0.24.3, k8s.io/client-go/pkg/apis/clientauthentication@0.24.3, k8s.io/apimachinery/pkg/api/meta@0.24.3, k8s.io/apimachinery/pkg/api/errors@0.24.3, k8s.io/api/core/v1@0.24.3, k8s.io/api/policy/v1@0.24.3, k8s.io/apimachinery/pkg/apis/meta/v1/unstructured@0.24.3, k8s.io/client-go/kubernetes/typed/core/v1@0.24.3, k8s.io/kubectl/pkg/cmd@0.24.3, github.com/argoproj/pkg/kube/errors@#235a5432ec98, k8s.io/client-go/util/retry@0.24.3, k8s.io/apimachinery/pkg/util/strategicpatch@0.24.3, k8s.io/client-go/plugin/pkg/client/auth/exec@0.24.3, k8s.io/apimachinery/pkg/runtime/serializer@0.24.3, k8s.io/client-go/kubernetes/scheme@0.24.3, k8s.io/client-go/kubernetes@0.24.3, k8s.io/client-go/informers@0.24.3
  From: k8s.io/client-go/rest@0.24.3 > golang.org/x/net/http2@0.15.0
  From: github.com/soheilhy/cmux@0.1.5 > golang.org/x/net/http2@0.15.0
  From: cloud.google.com/go/storage@1.33.0 > google.golang.org/api/transport/http@0.143.0 > golang.org/x/net/http2@0.15.0
  and 75 more...
  Fixed in: 0.17.0

Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
@terrytangyuan terrytangyuan merged commit 375a860 into argoproj:master Oct 12, 2023
22 checks passed
@terrytangyuan terrytangyuan deleted the fix-snk branch October 12, 2023 02:58
@agilgur5 agilgur5 added type/dependencies PRs and issues specific to updating dependencies go Pull requests that update Go dependencies type/security Security related labels Oct 12, 2023
terrytangyuan added a commit that referenced this pull request Oct 19, 2023
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
dpadhiar pushed a commit to dpadhiar/argo-workflows that referenced this pull request May 9, 2024
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Dillen Padhiar <dillen_padhiar@intuit.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
go Pull requests that update Go dependencies type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants