Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[0.11.x] Bump deps and go version for CVE fixes #1411

Merged
merged 3 commits into from
Nov 23, 2023

Conversation

chenbh
Copy link
Contributor

@chenbh chenbh commented Nov 23, 2023

There's still 2 CVEs left, but bumping them is non-trivial and IMO not worth the hassle

┌───────────────────────────────┬─────────────────────┬──────────┬────────┬─────────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│            Library            │    Vulnerability    │ Severity │ Status │  Installed Version  │ Fixed Version │                         Title                          │
├───────────────────────────────┼─────────────────────┼──────────┼────────┼─────────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ github.com/docker/docker      │ GHSA-jq35-85cj-fj4p │ MEDIUM   │ fixed  │ 23.0.4+incompatible │ 24.0.7        │ /sys/devices/virtual/powercap accessible by default to │
│                               │                     │          │        │                     │               │ containers                                             │
│                               │                     │          │        │                     │               │ https://github.com/advisories/GHSA-jq35-85cj-fj4p      │
├───────────────────────────────┼─────────────────────┼──────────┤        ├─────────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ github.com/sigstore/cosign/v2 │ CVE-2023-46737      │ LOW      │        │ 2.0.2               │ 2.2.1         │ cosign: potential denial of service by an              │
│                               │                     │          │        │                     │               │ attacker-controlled registry                           │
│                               │                     │          │        │                     │               │ https://avd.aquasec.com/nvd/cve-2023-46737             │
└───────────────────────────────┴─────────────────────┴──────────┴────────┴─────────────────────┴───────────────┴────────────────────────────────────────────────────────┘
  • github.com/docker/docker: Only affects docker daemon, we're using it as a library
  • github.com/sigstore/cosign/v2: Bumping this requires k8s api v0.28, which is something we're not doing in a patch release

@chenbh chenbh requested a review from a team as a code owner November 23, 2023 16:56
i think we were relying on the go toolchain available inside the runner
image, which could be out of date. Instead we should use the setup-go
action which should have the latest version of the toolchain

Signed-off-by: Bohan Chen <bohanc@vmware.com>
otherwise it'll use the system toolchain to run report.go, which will
fail when it encounters the new `toolchain` directive in the root go.mod

Signed-off-by: Bohan Chen <bohanc@vmware.com>
@codecov-commenter
Copy link

codecov-commenter commented Nov 23, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (ed579c9) 67.83% compared to head (8bf16f2) 67.83%.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@               Coverage Diff                @@
##           release/v0.11.x    #1411   +/-   ##
================================================
  Coverage            67.83%   67.83%           
================================================
  Files                  132      132           
  Lines                 8071     8071           
================================================
  Hits                  5475     5475           
  Misses                2166     2166           
  Partials               430      430           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Signed-off-by: Bohan Chen <bohanc@vmware.com>
@chenbh chenbh merged commit fb80b5b into release/v0.11.x Nov 23, 2023
15 checks passed
@chenbh chenbh deleted the 0-11-4-dep-bump branch November 23, 2023 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants