Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade containerd and image-spec for the vulnerabilities #662

Merged
merged 3 commits into from Dec 9, 2021

Conversation

mopp
Copy link
Contributor

@mopp mopp commented Dec 7, 2021

Background

We have used migrate in our applications and configured Dependabot alerts by GitHub.
It notified us that containerd and image-spec had vulnerabilities. But we don't use them directly.
Then, I created this PR to upgrade.

I am not sure how migrate use them 馃檹

go.mod Outdated
github.com/cockroachdb/cockroach-go/v2 v2.1.1
github.com/containerd/containerd v1.5.8 // indirect
Copy link
Contributor Author

@mopp mopp Dec 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go.mod Outdated
@@ -40,6 +41,7 @@ require (
github.com/mutecomm/go-sqlcipher/v4 v4.4.0
github.com/nakagami/firebirdsql v0.0.0-20190310045651-3c02a58cfed8
github.com/neo4j/neo4j-go-driver v1.8.1-0.20200803113522-b626aa943eba
github.com/opencontainers/image-spec v1.0.2 // indirect
Copy link
Contributor Author

@mopp mopp Dec 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -9,8 +9,9 @@ require (
github.com/apache/arrow/go/arrow v0.0.0-20211013220434-5962184e7a30 // indirect
github.com/aws/aws-sdk-go v1.17.7
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.5.4 // indirect
github.com/cenkalti/backoff/v4 v4.0.2
github.com/cenkalti/backoff/v4 v4.1.1
Copy link
Contributor Author

@mopp mopp Dec 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coveralls
Copy link

coveralls commented Dec 7, 2021

Pull Request Test Coverage Report for Build 1553106903

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 12 unchanged lines in 1 file lost coverage.
  • Overall coverage increased (+0.06%) to 57.8%

Files with Coverage Reduction New Missed Lines %
source/migration.go 12 13.64%
Totals Coverage Status
Change from base Build 1497266502: 0.06%
Covered Lines: 3731
Relevant Lines: 6455

馃挍 - Coveralls

@dhui
Copy link
Member

dhui commented Dec 8, 2021

My guess is that these dependencies are via dktest but there may be other packages that depend on these packages as well. I'm not too concerned about these from a security perspective since these packages should only be used when tests are running, so you shouldn't be vulnerable via migrate unless you're running the migrate tests. Nonetheless, we'll make sure this is fixed in the next release.

@dhui
Copy link
Member

dhui commented Dec 8, 2021

Could you try updating dktest to v0.3.8 and run go mod tidy to see if that fixes the issue?

@mopp
Copy link
Contributor Author

mopp commented Dec 8, 2021

Thanks for your comment.
Ah, I misunderstood. These libraries are also indirect dependencies from migrate.
Please check the commit
9975d48

Yes, I know that migrate uses them in the test only. But the Dependabot alerts by GitHub does not regard that unfortunately and just send us vulnerability alert 馃槩 So the reason why I sent this PR is just to suppress the alert in our repository.

Thanks.

github.com/cockroachdb/cockroach-go/v2 v2.1.1
github.com/cznic/mathutil v0.0.0-20180504122225-ca4c9f2c1369 // indirect
github.com/denisenkom/go-mssqldb v0.10.0
github.com/dhui/dktest v0.3.7
github.com/dhui/dktest v0.3.8
Copy link
Contributor Author

@mopp mopp Dec 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dhui
dhui approved these changes Dec 9, 2021
@dhui dhui merged commit 918e13a into golang-migrate:master Dec 9, 2021
8 checks passed
@mopp mopp deleted the upgrade_containerd branch Dec 10, 2021
@xrn
Copy link

xrn commented Dec 17, 2021

@dhui any chance for a new release with these changes?

@Tarang
Copy link

Tarang commented Jan 28, 2022

Any chance this can be put into release?

@maknahar
Copy link
Contributor

maknahar commented Feb 10, 2022

Any Idea when this change can be released?

@xrn
Copy link

xrn commented Mar 15, 2022

@dhui ?

@dhui
Copy link
Member

dhui commented Mar 17, 2022

I just updated dktest to v0.3.10 in migrate (master branch) which should fix known security issues and appease the security vulnerability scanners. If you'd also like to quiet your vulnerability scanners, use the master branch until the next release is cut. Although the master branch is not stable, any issues caused by recent changes (e.g. PR merges) will be promptly addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants