Skip to content

Commit

Permalink
[TT-9904] address cves(release-5-lts) (#5571)
Browse files Browse the repository at this point in the history
<!-- Provide a general summary of your changes in the Title above -->

## Description

This PR addresses CVEs on tyk gateway docker image. 
not upgrading python3.9 since it'll be updated in the next debian patch

Updated dependencies
- github.com/bshuster-repo/logrus-logstash-hook v0.4.1 => v1.1.0
- github.com/miekg/dns v1.0.14 => v1.1.3
- github.com/pires/go-proxyproto v0.0.0-20190615163442-2c19fd512994 =>
v0.6.2

## Related Issue
https://tyktech.atlassian.net/browse/TT-9904

## Motivation and Context

<!-- Why is this change required? What problem does it solve? -->

## How This Has Been Tested

<!-- Please describe in detail how you tested your changes -->
<!-- Include details of your testing environment, and the tests -->
<!-- you ran to see how your change affects other areas of the code,
etc. -->
<!-- This information is helpful for reviewers and QA. -->

## Screenshots (if appropriate)

<img width="1448" alt="Screenshot 2023-10-02 at 10 44 34 AM"
src="https://github.com/TykTechnologies/tyk/assets/8171046/f2c4aaa5-7f8b-4c1c-b542-16d8721ab059">

## Types of changes

<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] Refactoring or add test (improvements in base code or adds test
coverage to functionality)

## Checklist

<!-- Go over all the following points, and put an `x` in all the boxes
that apply -->
<!-- If there are no documentation updates required, mark the item as
checked. -->
<!-- Raise up any additional concerns not covered by the checklist. -->

- [ ] I ensured that the documentation is up to date
- [ ] I explained why this PR updates go.mod in detail with reasoning
why it's required
- [ ] I would like a code coverage CI quality gate exception and have
explained why
  • Loading branch information
jeffy-mathew committed Oct 3, 2023
1 parent 36ee2c8 commit 900c417
Show file tree
Hide file tree
Showing 9 changed files with 22 additions and 23 deletions.
1 change: 0 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,6 @@ jobs:
needs: ci
uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main
secrets:
TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }}
DEPDASH_URL: ${{ secrets.DEPDASH_URL }}
DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }}
ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
Expand Down
3 changes: 1 addition & 2 deletions ci/Dockerfile.std
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,7 @@ RUN apt-get update \
# Install curl and python3
RUN apt-get install -y curl python3-setuptools libpython3.9 python3.9-dev \
&& curl https://bootstrap.pypa.io/get-pip.py | python3 \
&& pip3 install --only-binary ":all:" grpcio protobuf==3.20.1

&& pip3 install --only-binary ":all:" grpcio protobuf==3.20.2 && pip3 install --upgrade setuptools

# Remove some things to decrease CVE surface
RUN apt-get remove -y --allow-remove-essential --auto-remove curl libtiff5 ncurses-base \
Expand Down
3 changes: 2 additions & 1 deletion ci/image/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,10 @@ RUN apt-get install -y --no-install-recommends \
libpython3.7 \
python3.7-dev \
python3-pip \
&& pip3 install protobuf==3.20.1 grpcio==1.24.0 \
&& pip3 install protobuf==3.20.1 grpcio==1.24.0 && pip3 install --upgrade setuptools \
&& apt-get purge -y build-essential \
&& rm -rf /root/.cache

RUN apt-get autoremove -y

ADD tyk.tar.gz /opt/tyk
Expand Down
2 changes: 1 addition & 1 deletion ci/images/hybrid/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ RUN apt-get update \
&& apt-get dist-upgrade -y --no-install-recommends redis-server nginx \
python3-setuptools libpython3-dev curl ca-certificates \
&& curl https://bootstrap.pypa.io/get-pip.py | python3 \
&& pip3 install --only-binary ":all:" grpcio protobuf==3.20.1 \
&& pip3 install --only-binary ":all:" grpcio protobuf==3.20.2 && pip3 install --upgrade setuptools \
&& apt-get autoremove -y \
&& rm -rf /usr/include/* && rm /usr/lib/*-linux-gnu/*.a && rm /usr/lib/*-linux-gnu/*.o \
&& rm -rf /root/.cache \
Expand Down
2 changes: 1 addition & 1 deletion coprocess/python/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ curl http://127.0.0.1:8080/coprocess-auth-tyk-api-test/ -H 'Authorization: inval
* [Python 3.x](https://www.python.org/)
* [Go](https://golang.org)
* [Cython](http://cython.org/) (required if you need to modify and re-compile the gateway API binding)
* [protobuf](https://pypi.python.org/pypi/protobuf/3.20.1) (Python module): `pip3 install protobuf==3.20.1`
* [protobuf](https://pypi.python.org/pypi/protobuf/3.20.2) (Python module): `pip3 install protobuf==3.20.2`
* [grpc](https://www.grpc.io/) (gRPC module): `pip3 install grpcio`

## Build steps
Expand Down
2 changes: 1 addition & 1 deletion gateway/host_checker.go
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ func (h *HostUptimeChecker) CheckHost(toCheck HostData) {
}
if toCheck.EnableProxyProtocol {
log.Debug("using proxy protocol")
ls = proxyproto.NewConn(ls, 0)
ls = proxyproto.NewConn(ls)
}
defer ls.Close()
for _, cmd := range toCheck.Commands {
Expand Down
15 changes: 7 additions & 8 deletions gateway/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ import (
"strings"
"sync"

logstashHook "github.com/bshuster-repo/logrus-logstash-hook"

"github.com/TykTechnologies/tyk/internal/crypto"
"github.com/TykTechnologies/tyk/internal/httputil"
"github.com/TykTechnologies/tyk/test"
Expand All @@ -29,7 +31,6 @@ import (
textTemplate "text/template"
"time"

logstashHook "github.com/bshuster-repo/logrus-logstash-hook"
"github.com/evalphobia/logrus_sentry"
graylogHook "github.com/gemnasium/logrus-graylog-hook"
"github.com/gorilla/mux"
Expand Down Expand Up @@ -1147,25 +1148,23 @@ func (gw *Gateway) setupLogger() {
if gwConfig.UseLogstash {
mainLog.Debug("Enabling Logstash support")

var hook *logstashHook.Hook
var hook logrus.Hook
var err error
var conn net.Conn
if gwConfig.LogstashTransport == "udp" {
mainLog.Debug("Connecting to Logstash with udp")
hook, err = logstashHook.NewHook(gwConfig.LogstashTransport,
gwConfig.LogstashNetworkAddr,
appName)
conn, err = net.Dial(gwConfig.LogstashTransport, gwConfig.LogstashNetworkAddr)
} else {
mainLog.Debugf("Connecting to Logstash with %s", gwConfig.LogstashTransport)
conn, err = gas.Dial(gwConfig.LogstashTransport, gwConfig.LogstashNetworkAddr)
if err == nil {
hook, err = logstashHook.NewHookWithConn(conn, appName)
}
}

if err != nil {
log.Errorf("Error making connection for logstash: %v", err)
} else {
hook = logstashHook.New(conn, logstashHook.DefaultFormatter(logrus.Fields{
"type": appName,
}))
log.Hooks.Add(hook)
rawLog.Hooks.Add(hook)
mainLog.Debug("Logstash hook active")
Expand Down
6 changes: 3 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ require (
github.com/TykTechnologies/storage v1.0.5
github.com/TykTechnologies/tyk-pump v1.8.0-rc4
github.com/akutz/memconn v0.1.0
github.com/bshuster-repo/logrus-logstash-hook v0.4.1
github.com/bshuster-repo/logrus-logstash-hook v1.1.0
github.com/buger/jsonparser v1.1.1
github.com/cenk/backoff v2.2.1+incompatible
github.com/cenkalti/backoff/v4 v4.0.2
Expand Down Expand Up @@ -54,7 +54,7 @@ require (
github.com/lonelycode/osin v0.0.0-20160423095202-da239c9dacb6
github.com/mavricknz/asn1-ber v0.0.0-20151103223136-b9df1c2f4213 // indirect
github.com/mavricknz/ldap v0.0.0-20160227184754-f5a958005e43
github.com/miekg/dns v1.0.14
github.com/miekg/dns v1.1.3
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/mapstructure v1.4.1
github.com/newrelic/go-agent v2.13.0+incompatible
Expand All @@ -64,7 +64,7 @@ require (
github.com/oschwald/maxminddb-golang v1.5.0
github.com/paulbellamy/ratecounter v0.2.0
github.com/peterbourgon/g2s v0.0.0-20170223122336-d4e7ad98afea // indirect
github.com/pires/go-proxyproto v0.0.0-20190615163442-2c19fd512994
github.com/pires/go-proxyproto v0.6.2
github.com/pmylund/go-cache v2.1.0+incompatible
github.com/robertkrimen/otto v0.0.0-20180617131154-15f95af6e78d
github.com/rs/cors v1.7.0
Expand Down
11 changes: 6 additions & 5 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -141,8 +141,8 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
github.com/bmizerany/pat v0.0.0-20170815010413-6226ea591a40/go.mod h1:8rLXio+WjiTceGBHIoTvn60HIbs7Hm7bcHjyrSqYB9c=
github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
github.com/bshuster-repo/logrus-logstash-hook v0.4.1 h1:pgAtgj+A31JBVtEHu2uHuEx0n+2ukqUJnS2vVe5pQNA=
github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
github.com/bshuster-repo/logrus-logstash-hook v1.1.0 h1:o2FzZifLg+z/DN1OFmzTWzZZx/roaqt8IPZCIVco8r4=
github.com/bshuster-repo/logrus-logstash-hook v1.1.0/go.mod h1:Q2aXOe7rNuPgbBtPCOzYyWDvKX7+FpxE5sRdvcPoui0=
github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
github.com/c-bata/go-prompt v0.2.2/go.mod h1:VzqtzE2ksDBcdln8G7mk2RX9QyGjH+OVqOCSiVIqS34=
Expand Down Expand Up @@ -623,8 +623,9 @@ github.com/mavricknz/asn1-ber v0.0.0-20151103223136-b9df1c2f4213 h1:3DongGRjJZvI
github.com/mavricknz/asn1-ber v0.0.0-20151103223136-b9df1c2f4213/go.mod h1:v/ZufymxjcI3pnNmQIUQQKxnHLTblrjZ4MNLs5DrZ1o=
github.com/mavricknz/ldap v0.0.0-20160227184754-f5a958005e43 h1:x4SDcUPDTMzuFEdWe5lTznj1echpsd0ApTkZOdwtm7g=
github.com/mavricknz/ldap v0.0.0-20160227184754-f5a958005e43/go.mod h1:z76yvVwVulPd8FyifHe8UEHeud6XXaSan0ibi2sDy6w=
github.com/miekg/dns v1.0.14 h1:9jZdLNd/P4+SfEJ0TNyxYpsK8N4GtfylBLqtbYN1sbA=
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/miekg/dns v1.1.3 h1:1g0r1IvskvgL8rR+AcHzUA+oFmGcQlaIm4IqakufeMM=
github.com/miekg/dns v1.1.3/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/minio/highwayhash v1.0.1/go.mod h1:BQskDq+xkJ12lmlUUi7U0M5Swg3EWR+dLTk+kldvVxY=
github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
Expand Down Expand Up @@ -732,8 +733,8 @@ github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0
github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
github.com/pierrec/lz4 v2.6.0+incompatible h1:Ix9yFKn1nSPBLFl/yZknTp8TU5G4Ps0JDmguYK6iH1A=
github.com/pierrec/lz4 v2.6.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
github.com/pires/go-proxyproto v0.0.0-20190615163442-2c19fd512994 h1:3ssKn22MN6oLH+l2iimsBdCliSgELXTBWWR+yooB2lQ=
github.com/pires/go-proxyproto v0.0.0-20190615163442-2c19fd512994/go.mod h1:6/gX3+E/IYGa0wMORlSMla999awQFdbaeQCHjSMKIzY=
github.com/pires/go-proxyproto v0.6.2 h1:KAZ7UteSOt6urjme6ZldyFm4wDe/z0ZUP0Yv0Dos0d8=
github.com/pires/go-proxyproto v0.6.2/go.mod h1:Odh9VFOZJCf9G8cLW5o435Xf1J95Jw9Gw5rnCjcwzAY=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
Expand Down

0 comments on commit 900c417

Please sign in to comment.