Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[0.9.x] Bump deps and go version for CVE fixes #1413

Merged
merged 3 commits into from
Nov 23, 2023
Merged

[0.9.x] Bump deps and go version for CVE fixes #1413

merged 3 commits into from
Nov 23, 2023

Conversation

chenbh
Copy link
Contributor

@chenbh chenbh commented Nov 23, 2023

Unaddressed CVEs:

┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬──────────┬──────────────────────────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
│                           Library                            │    Vulnerability    │ Severity │  Status  │          Installed Version           │     Fixed Version      │                           Title                            │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼──────────┼──────────────────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/docker/docker                                     │ GHSA-jq35-85cj-fj4p │ MEDIUM   │ fixed    │ 20.10.24+incompatible                │ 24.0.7                 │ /sys/devices/virtual/powercap accessible by default to     │
│                                                              │                     │          │          │                                      │                        │ containers                                                 │
│                                                              │                     │          │          │                                      │                        │ https://github.com/advisories/GHSA-jq35-85cj-fj4p          │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼──────────┼──────────────────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/sigstore/cosign                                   │ CVE-2023-46737      │ LOW      │ affected │ 1.13.1                               │                        │ cosign: potential denial of service by an                  │
│                                                              │                     │          │          │                                      │                        │ attacker-controlled registry                               │
│                                                              │                     │          │          │                                      │                        │ https://avd.aquasec.com/nvd/cve-2023-46737                 │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼──────────┼──────────────────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/sigstore/rekor                                    │ CVE-2023-30551      │ HIGH     │ fixed    │ 0.12.1-0.20220915152154-4bb6f441c1b2 │ 1.1.1                  │ rekor: compressed archives can result in OOM conditions    │
│                                                              │                     │          │          │                                      │                        │ https://avd.aquasec.com/nvd/cve-2023-30551                 │
│                                                              ├─────────────────────┼──────────┤          │                                      ├────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-33199      │ MEDIUM   │          │                                      │ 1.2.0                  │ CVE-2023-33199 affecting package skopeo 1.12.0-3           │
│                                                              │                     │          │          │                                      │                        │ https://avd.aquasec.com/nvd/cve-2023-33199                 │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤          ├──────────────────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108      │ HIGH     │          │ 0.28.0                               │ 0.46.0                 │ otelgrpc DoS vulnerability due to unbound cardinality      │
│ rg/grpc/otelgrpc                                             │                     │          │          │                                      │                        │ metrics                                                    │
│                                                              │                     │          │          │                                      │                        │ https://avd.aquasec.com/nvd/cve-2023-47108                 │
├──────────────────────────────────────────────────────────────┼─────────────────────┤          │          ├──────────────────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                                       │ GHSA-m425-mq94-257g │          │          │ 1.50.0                               │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                   │
│                                                              │                     │          │          │                                      │                        │ https://github.com/advisories/GHSA-m425-mq94-257g          │
│                                                              ├─────────────────────┼──────────┤          │                                      ├────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-44487      │ MEDIUM   │          │                                      │ 1.58.3, 1.57.1, 1.56.3 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│                                                              │                     │          │          │                                      │                        │ to a DDoS attack...                                        │
│                                                              │                     │          │          │                                      │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                 │
└──────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴──────────┴──────────────────────────────────────┴────────────────────────┴────────────────────────────────────────────────────────────┘
  • github.com/docker/docker: only affects docker daemon
  • github.com/sigstore/cosign: Fix is only available in major jump from 1.13.1 -> 2.2.1
  • github.com/sigstore/rekor: tied to cosign
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: tied to cosign
  • google.golang.org/grpc: tied to opentelemetry

@chenbh
setup go toolchain for unit test workflow
b414837 
i think we were relying on the go toolchain available inside the runner
image, which could be out of date. Instead we should use the setup-go
action which should have the latest version of the toolchain

Signed-off-by: Bohan Chen <bohanc@vmware.com>
@chenbh
add setup-go action to the pack-build action
689b53b 
otherwise it'll use the system toolchain to run report.go, which will
fail when it encounters the new `toolchain` directive in the root go.mod

Signed-off-by: Bohan Chen <bohanc@vmware.com>
@chenbh chenbh requested a review from a team as a code owner November 23, 2023 19:57
@chenbh
bump deps and go version due to cves
8286c0b 
Signed-off-by: Bohan Chen <bohanc@vmware.com>
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (c1e4d38) 67.47% compared to head (8286c0b) 67.47%.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@               Coverage Diff               @@
##           release/v0.9.x    #1413   +/-   ##
===============================================
  Coverage           67.47%   67.47%           
===============================================
  Files                 124      124           
  Lines                7447     7447           
===============================================
  Hits                 5025     5025           
  Misses               2016     2016           
  Partials              406      406

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@chenbh chenbh merged commit 714208f into release/v0.9.x Nov 23, 2023
3 checks passed
@chenbh chenbh deleted the 0-9-6-dep-bump branch November 23, 2023 20:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomkennedy513 tomkennedy513 tomkennedy513 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chenbh @codecov-commenter @tomkennedy513