-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: upgrade packages with vulns #3343
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you explain which vulnerability we want to fix in the PR description?
@@ -384,7 +385,7 @@ require ( | |||
) | |||
|
|||
// See https://github.com/moby/moby/issues/42939#issuecomment-1114255529 | |||
replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible | |||
replace github.com/docker/docker => github.com/docker/engine v17.12.0-ce-rc1.0.20211209213653-8955d8da8951+incompatible |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like it downgrades the versions. It is intended?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its actually another package and it was auto-generated from its master branch.
Please take a look at this:
https://stackoverflow.com/questions/56032544/how-to-find-dependency-causing-sirupsen-logrus-vs-sirupsen-logrus-unexpecte
In the future we should consider upgrading to moby/moby.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commit you referenced is created on Dec 9, 2021. I don't think it addresses recent vulnerabilities. If scanners don't detect those vulnerabilities, it is an issue of scanners. Hiding vulnerabilities from scanners is not essential.
docker-archive/engine@8955d8d
We bumped containerd. Please open PRs separately if you confirmed detected vulnerabilities. |
Description
Upgrade go deps with vulns
Fixed vulnerabilities in this PR:
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-24765' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-30633' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-24675' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-41771' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-30631' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-28327' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-30632' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-41772' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-28131' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-41103' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-27536' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-39293' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-29162' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-27664' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-30630' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-30635' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-30465' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-32189' },
{ pkg: 'git', cve: 'CVE-2022-31012' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-41716' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-32190' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-2879' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-2880' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-41720' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2019-2054' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-41715' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-1962' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-32148' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-31030' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-29526' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-32760' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-21334' },
{ pkg: 'golang.org/x/net', cve: 'CVE-2022-41717' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-24769' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-1705' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-41089' },
{ pkg: 'github.com/moby/buildkit', cve: 'CVE-2021-32760' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-34558' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-41717' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-23471' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-41091' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-36109' },
{ pkg: 'github.com/aws/aws-sdk-go', cve: 'GHSA-f5pg-7wfw-84q9' },
{ pkg: 'github.com/aws/aws-sdk-go', cve: 'GHSA-7f33-f4f5-xwgw' }