chore(deps): bump outdated go toolchain for 2.8.x release #3775

pmalek · 2023-03-20T19:02:16Z

What this PR does / why we need it:

Bumps outdated packages to address security scan:

Before:

$ docker scout cves kong/kubernetes-ingress-controller:2.8.1
Analyzing image kong/kubernetes-ingress-controller:2.8.1
    ✓ Image stored for indexing
    ✓ Indexed 97 packages
    ✗ Detected 2 vulnerable packages with a total of 6 vulnerabilities

  0C    4H    1M    0L  stdlib 1.19.4
pkg:golang/stdlib@1.19.4

    ✗ HIGH CVE-2022-41725 [Uncontrolled Resource Consumption]
      https://dso.docker.com/cve/CVE-2022-41725
      Affected range : <1.19.6
      Fixed version  : 1.19.6
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    ✗ HIGH CVE-2022-41723 [Uncontrolled Resource Consumption]
      https://dso.docker.com/cve/CVE-2022-41723
      Affected range : <1.19.6
      Fixed version  : 1.19.6
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    ✗ HIGH CVE-2022-41724 [Uncontrolled Resource Consumption]
      https://dso.docker.com/cve/CVE-2022-41724
      Affected range : <1.19.6
      Fixed version  : 1.19.6
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    ✗ HIGH CVE-2022-41722 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
      https://dso.docker.com/cve/CVE-2022-41722
      Affected range : <1.19.6
      Fixed version  : 1.19.6
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    ✗ MEDIUM CVE-2023-24532 [Incorrect Calculation]
      https://dso.docker.com/cve/CVE-2023-24532
      Affected range : <1.19.7
      Fixed version  : 1.19.7
      CVSS Score     : 5.3
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N


  0C    1H    0M    0L  net 0.4.0
pkg:golang/golang.org/x/net@0.4.0

    ✗ HIGH CVE-2022-41723 [Uncontrolled Resource Consumption]
      https://dso.docker.com/cve/CVE-2022-41723
      Affected range : <0.7.0
      Fixed version  : 0.7.0
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

     GMS-2023-418
      https://dso.docker.com/cve/GMS-2023-418
      Affected range : <0.7.0
      Fixed version  : 0.7.0



The image contains 2 packages with one or more vulnerability for a total of 6 vulnerabilities
  LOW      | 0
  MEDIUM   | 1
  HIGH     | 5
  CRITICAL | 0

After:

Analyzing image kong/kubernetes-ingress-controller:v2.8.1
    ✓ SBOM of image already cached, 97 packages indexed
    ✓ No vulnerable package detected

Which issue this PR fixes:

Related #3756

chore(deps): bump vulnerable packages

2af19cf

pmalek added the dependencies Pull requests that update a dependency file label Mar 20, 2023

pmalek requested a review from a team as a code owner March 20, 2023 19:02

pmalek self-assigned this Mar 20, 2023

pull-request-size bot added the size/M label Mar 20, 2023

pmalek changed the title ~~chore(deps): bump vulnerable packages~~ chore(deps): bump outdated go toolchain for 2.8.x release Mar 20, 2023

randmonkey approved these changes Mar 21, 2023

View reviewed changes

czeslavo approved these changes Mar 21, 2023

View reviewed changes

pmalek merged commit 8c671f2 into release/2.8.x Mar 21, 2023

pmalek deleted the bump-deps-for-2.8.x branch March 21, 2023 08:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump outdated go toolchain for 2.8.x release #3775

chore(deps): bump outdated go toolchain for 2.8.x release #3775

pmalek commented Mar 20, 2023

chore(deps): bump outdated go toolchain for 2.8.x release #3775

chore(deps): bump outdated go toolchain for 2.8.x release #3775

Conversation

pmalek commented Mar 20, 2023