Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes for CVE-2020-2616 and CVE-2022-24921 on actions-runner-controller image ! #1230

Merged
merged 2 commits into from
May 15, 2022
Merged

Fixes for CVE-2020-2616 and CVE-2022-24921 on actions-runner-controller image ! #1230

merged 2 commits into from
May 15, 2022

Conversation

shettarvinay
Copy link
Contributor

@shettarvinay shettarvinay commented Mar 16, 2022
edited
Loading

Update Dockerfile, github/github.go, go.mod and go.sum for fixing CVE-2020-26160 and CVE-2022-24921 on actions-runner-controller image.

PR raised to fix Issue

Steps performed: (for fixing CVE-2022-24921)

  1. Updated Dockerfile to use 1.17.8 of golang

Steps performed: (for fixing CVE-2020-26160)

github.com/dgrijalva/jwt-go repo is no longer maintained and is moved to new path https://github.com/dgrijalva/jwt-go#this-repository-is-no-longer-maintaned.

bradleyfalzon/ghinstallation which was using dgrijalva/jwt-go also updated on its version 2.0.3 to use the migrated repo. https://github.com/bradleyfalzon/ghinstallation/releases/tag/v2.0.3

  1. Updated go.mod with github.com/bradleyfalzon/ghinstallation/v2 v2.0.3
  2. Updated github/github.go to use v2 of /bradleyfalzon/ghinstallation
  3. Ran command go mod tidy
  4. Committed all the changes

@shettarvinay
Copy link
Contributor Author

After building the image with fixes above, found 0 vulnerabilities.

image

@shettarvinay shettarvinay mentioned this pull request Mar 16, 2022
Open
@shettarvinay shettarvinay changed the title Update Dockerfile, github/github.go, go.mod and go.sum for fixing CVE-2020-2616 and CVE-2022-24921 Fixes for CVE-2020-2616 and CVE-2022-24921 on actions-runner-controller image ! Mar 16, 2022
mumoshu
mumoshu approved these changes May 15, 2022
View reviewed changes
Copy link
Collaborator

@mumoshu mumoshu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for your contribution!

@mumoshu mumoshu merged commit f08ab14 into actions:master May 15, 2022
@mumoshu mumoshu added this to the v0.24.0 milestone May 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mumoshu mumoshu mumoshu approved these changes

@toast-gear toast-gear Awaiting requested review from toast-gear toast-gear is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.24.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@shettarvinay @mumoshu