Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update go to address CVEs #531

Closed
dhaval0603 opened this issue Jan 9, 2024 · 0 comments · Fixed by #532
Closed

Update go to address CVEs #531

dhaval0603 opened this issue Jan 9, 2024 · 0 comments · Fixed by #532

Comments

@dhaval0603
Copy link

The go package used in the prom/statsd-exporter:v0.26.0 is affected by a number of CVEs. The package needs to be updated to provide security fixes

Security Reports

Please view all CVEs listed in this report. All CVEs listed here are reported for golang:go:1.19.12:*:*:*:*:*:*:*

https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agolang%3Ago%3A1.19.12%3A*%3A*%3A*%3A*%3A*%3A*%3A*

Evidence

Go packaged in the prom/statsd-exporter:v0.26.0 still contains go 1.19.12. See this line "Build context" context="(go=go1.19.12, platform=linux/amd64, user=root@28e79991cb35, date=20231206-09:59:46, tags=netgo static_build)"

❯ docker run -it prom/statsd-exporter:v0.26.0
Unable to find image 'prom/statsd-exporter:v0.26.0' locally
v0.26.0: Pulling from prom/statsd-exporter
Digest: sha256:a3924f9429c8237293336ff40c5a246238ff9f64aaf712521b2d29f45d6214d5
Status: Downloaded newer image for prom/statsd-exporter:v0.26.0
ts=2024-01-09T19:51:53.636Z caller=main.go:300 level=info msg="Starting StatsD -> Prometheus Exporter" version="(version=0.26.0, branch=HEAD, revision=2c7fd1edd4bdf01982a648b689da10e5bcff860d)"
ts=2024-01-09T19:51:53.636Z caller=main.go:301 level=info msg="Build context" context="(go=go1.19.12, platform=linux/amd64, user=root@28e79991cb35, date=20231206-09:59:46, tags=netgo static_build)"
ts=2024-01-09T19:51:53.638Z caller=main.go:350 level=info msg="Accepting StatsD Traffic" udp=:9125 tcp=:9125 unixgram=
ts=2024-01-09T19:51:53.638Z caller=main.go:351 level=info msg="Accepting Prometheus Requests" addr=:9102
SuperQ added a commit that referenced this issue Jan 9, 2024
@SuperQ
Update build
cbb92dd 
* Update Go to 1.21.
* Cleanup unecessary build flags.
* Update minimum Go version to 1.20.

Fixes: #531

Signed-off-by: SuperQ <superq@gmail.com>
@SuperQ SuperQ mentioned this issue Jan 9, 2024
Merged
SuperQ added a commit that referenced this issue Jan 9, 2024
@SuperQ
Update build
8adea73 
* Update Go to 1.21.
* Cleanup unecessary build flags.
* Update minimum Go version to 1.20.

Fixes: #531

Signed-off-by: SuperQ <superq@gmail.com>
@dhaval0603 dhaval0603 mentioned this issue Feb 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update build prometheus/statsd_exporter
1 participant
@dhaval0603