Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vulnerable dependency #1269

Closed
naveensrinivasan opened this issue Jan 26, 2022 · 9 comments · Fixed by #1271
Closed

Update vulnerable dependency #1269

naveensrinivasan opened this issue Jan 26, 2022 · 9 comments · Fixed by #1271
Labels
bug Something isn't working

Comments

@naveensrinivasan
Copy link

Describe the bug

ossf/scorecard depends on this project. We have a high vulnerability that was reported by dependabot for https://deps.dev/advisory/GHSA/GHSA-mvff-h3cj-wj9c

After doing some research we realized we don't directly consume that version of the package github.com/containerd/containerd 1.5.8 and it is being used by go-containerregistry ossf/scorecard#1537

We would like to know when would this package be upgraded to avoid this CVE.
@naveensrinivasan naveensrinivasan added the bug Something isn't working label Jan 26, 2022
@naveensrinivasan naveensrinivasan mentioned this issue Jan 26, 2022
Closed
@imjasonh
Copy link
Collaborator

This and more is included in #1260

In the meantime, the vulnerability does not affect any user of ggcr, and can safely be dismissed.

@naveensrinivasan
Copy link
Author

Is there a write-up somewhere as to why this isn't an issue for ggcr? Because if we decide to dismiss the Vulnerability we would like to include the docs along with that.

Also is there an ETA on merging on the above-mentioned PR and a release?

Appreciate the quick turn-around.

Thanks

@imjasonh
Copy link
Collaborator

The linked CVE relates to running containers, which this library never does, and does not let users do. It includes containerd as a transitive dependency because it depends on docker code, to allow loading images into the daemon storage.

No ETA on merging that PR, but I'll ping some folks.

@naveensrinivasan
Copy link
Author

The linked CVE relates to running containers, which this library never does, and does not let users do. It includes containerd as a transitive dependency because it depends on docker code, to allow loading images into the daemon storage.

No ETA on merging that PR, but I'll ping some folks.

👍

@imjasonh imjasonh mentioned this issue Jan 27, 2022
Merged
@naveensrinivasan
Copy link
Author

Thanks, I tried to update the ggcr.

➜  tools git:(naveen/fix/vulns-containerd) ✗ go mod tidy
➜  tools git:(naveen/fix/vulns-containerd) ✗ go get -u github.com/google/go-containerregistry@master
go get: upgraded github.com/go-logr/logr v1.0.0 => v1.2.2
go get: downgraded github.com/google/go-containerregistry v0.8.0 => v0.4.1-0.20210121000801-859dff29bf30
go get: downgraded github.com/google/ko v0.9.4-0.20211123143443-5787600e9220 => v0.8.1
go get: upgraded github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2 => v6.4.1
go get: removed github.com/sigstore/cosign v1.3.2-0.20211120003522-90e2dcfe7b92
go get: removed github.com/sigstore/sigstore v1.0.2-0.20211115214857-534e133ebf9d
go get: upgraded golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e => v0.0.0-20220114195835-da31bd327af9
go get: upgraded golang.org/x/tools v0.1.9-0.20211228192929-ee1ca4ffc4da => v0.1.9
go get: upgraded k8s.io/code-generator v0.21.4 => v0.23.3
go get: upgraded k8s.io/gengo v0.0.0-20210203185629-de9496dff47b => v0.0.0-20211129171323-c02415ce4185
go get: upgraded k8s.io/klog/v2 v2.20.0 => v2.40.1
➜  tools git:(naveen/fix/vulns-containerd) ✗ go mod tidy
go: finding module for package github.com/googleapis/gnostic/OpenAPIv2
github.com/ossf/scorecard/tools imports
	github.com/google/ko imports
	github.com/google/ko/pkg/commands imports
	k8s.io/cli-runtime/pkg/genericclioptions imports
	k8s.io/cli-runtime/pkg/resource imports
	github.com/googleapis/gnostic/OpenAPIv2: module github.com/googleapis/gnostic@latest found (v0.6.6), but does not contain package github.com/googleapis/gnostic/OpenAPIv2

ran into this.

@imjasonh
Copy link
Collaborator

imjasonh commented Jan 28, 2022
edited
Loading

This is a known issue with how go handles module moves. I get around it by changing go 1.17 in go.mod, updating, etc, and reverting the go 1.17 change (if you want to).

Edit: google/gnostic#262 is the but I usually refer to.

@naveensrinivasan
Copy link
Author

I tried with go 1.16 and didn't help either.

➜  tools git:(naveen/fix/vulns-containerd) ✗ go mod tidy
go: finding module for package github.com/googleapis/gnostic/OpenAPIv2
github.com/ossf/scorecard/tools imports
	github.com/google/ko imports
	github.com/google/ko/pkg/commands imports
	k8s.io/cli-runtime/pkg/genericclioptions imports
	k8s.io/cli-runtime/pkg/resource imports
	github.com/googleapis/gnostic/OpenAPIv2: module github.com/googleapis/gnostic@latest found (v0.6.6), but does not contain package github.com/googleapis/gnostic/OpenAPIv2
➜  tools git:(naveen/fix/vulns-containerd) ✗ go version
go version go1.16.10 linux/amd64
➜  tools git:(naveen/fix/vulns-containerd) ✗

@justaugustus
Copy link

I tried with go 1.16 and didn't help either.

Alrighty, I'll give this a try later today

@naveensrinivasan
Copy link
Author

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump containerd imjasonh/go-containerregistry
3 participants
@naveensrinivasan @imjasonh @justaugustus