CSPL-836 Mitigate vulnerabilities from github.com/coreos/prometheus-operator/pkg/client/versioned/scheme-v0.34.0 library #268
Conversation
…perator/pkg/client/versioned/scheme-v0.34.0 library Upgrade prometheus-operator from v0.34.0 to v0.38.3 to address vulnerabilities CVE-2020-8565, CVE-2019-11253, CVE-2019-11254, CVE-2020-14040, and CVE-2020-15113
vebken-splunk
force-pushed
the
bugfix/CSPL-836
branch
from
7134977 to
2a07975
Compare
|
|
||
| require ( | ||
| github.com/aws/aws-sdk-go v1.17.7 | ||
| github.com/aws/aws-sdk-go v1.30.12 |
There was a problem hiding this comment.
Do we need this line as this is already being covered as part of https://github.com/splunk/splunk-operator/pull/267/files ?
There was a problem hiding this comment.
This version is updated automatically by requiring prometheus-operator v0.38.3 so it is necessary for this standalone fix. When merging this and CSPL-841 (#267) we will need to ensure that the latest version of the awk-sdk-go library is retained (depending on the order the tickets are merged in).
| require ( | ||
| github.com/aws/aws-sdk-go v1.17.7 | ||
| github.com/aws/aws-sdk-go v1.30.12 | ||
| github.com/coreos/prometheus-operator v0.38.3 // indirect |
There was a problem hiding this comment.
Question similar to aws-sdk-go discussion .. does updating to latest version of prometheus operator cause build failures or other problems?
There was a problem hiding this comment.
Yes, upgrading to the latest version of prometheus operator causes dependency issues and build issues. v0.38.3 is the latest version that will work without further changes such as upgrading the operator sdk version.
Upgrade prometheus-operator from v0.34.0 to v0.38.3 to address vulnerabilities CVE-2020-8565, CVE-2019-11253, CVE-2019-11254, CVE-2020-14040, and CVE-2020-15113