Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHSA-mvff-h3cj-wj9c - Vulnerability reported for github.com/containerd/containerd #1537

Closed
naveensrinivasan opened this issue Jan 26, 2022 · 5 comments · Fixed by #1671
Closed

GHSA-mvff-h3cj-wj9c - Vulnerability reported for github.com/containerd/containerd #1537

naveensrinivasan opened this issue Jan 26, 2022 · 5 comments · Fixed by #1671
Assignees
@naveensrinivasan @justaugustus
Labels
kind/bug Something isn't working
Projects
Scorecard

Comments

@naveensrinivasan
Copy link
Member

The dependabot has reported a High Severity vulnerability github.com/containerd/containerd

scorecard/tools/go.sum

Line 471 in d50788f

github.com/containerd/containerd v1.5.8 h1:NmkCC1/QxyZFBny8JogwLpOy2f+VEbO/f6bV2Mqtwuw=

We don't use this directly. This is part of tools https://github.com/ossf/scorecard/tree/main/tools module.

➜  tools  ✗ go mod why github.com/containerd/containerd
# github.com/containerd/containerd
(main module does not need package github.com/containerd/containerd)

I have tried this replace in the tools go.mod which fails when make install

replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.9

This is because our dependencies have this issue https://deps.dev/go/github.com%2Fgoogle%2Fgo-containerregistry
@naveensrinivasan naveensrinivasan added the kind/bug Something isn't working label Jan 26, 2022
@naveensrinivasan
Copy link
Member Author

@azeemshaikh38 @laurentsimon @david-a-wheeler FYI...

@naveensrinivasan naveensrinivasan mentioned this issue Jan 26, 2022
Closed
@naveensrinivasan
Copy link
Member Author

google/go-containerregistry#1269

@naveensrinivasan
Copy link
Member Author

google/go-containerregistry#1269

They don't have specific timelines as to when they would address this issue.

google/go-containerregistry#1269 (comment)

cc @inferno-chromium

naveensrinivasan added a commit that referenced this issue Jan 28, 2022
@naveensrinivasan
🌱 Fix containerd Vulnerability
8931a58 
Fixes the containerd vulns.

#1537
@naveensrinivasan naveensrinivasan mentioned this issue Jan 28, 2022
Merged
2 tasks
naveensrinivasan added a commit that referenced this issue Jan 28, 2022
@naveensrinivasan
🌱 Fix containerd Vulnerability
510da21 
Fixes the containerd vulns.

#1537
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
@azeemshaikh38 azeemshaikh38 mentioned this issue Feb 13, 2022
Open
@justaugustus justaugustus added this to To do in Scorecard via automation Feb 23, 2022
@justaugustus justaugustus moved this from To do to In progress in Scorecard Feb 23, 2022
justaugustus added a commit that referenced this issue Feb 23, 2022
@naveensrinivasan @justaugustus
🌱 Fix containerd Vulnerability
6964603 
Fixes the containerd vulns.

#1537
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
justaugustus added a commit that referenced this issue Feb 23, 2022
@naveensrinivasan @justaugustus
🌱 Fix containerd Vulnerability (#1560)
d94a87d 
Fixes the containerd vulns.

#1537
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
@justaugustus
Copy link
Member

Closed via #1560.

Scorecard automation moved this from In progress to Done Feb 23, 2022
@naveensrinivasan
Copy link
Member Author

Still not closed, because the go.sum refers to version that has the vulnerability

Scorecard automation moved this from Done to In progress Feb 23, 2022
@naveensrinivasan naveensrinivasan linked a pull request Feb 23, 2022 that will close this issue
🌱 Fix containerd vulns #1671
Merged
2 tasks
Scorecard automation moved this from In progress to Done Feb 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@naveensrinivasan naveensrinivasan

@justaugustus justaugustus

Labels
kind/bug Something isn't working
Projects
Scorecard
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🌱 Fix containerd vulns ossf/scorecard
2 participants
@naveensrinivasan @justaugustus