[main] Fix CVEs reported by trivy scanner. #136
Conversation
Fix CVEs reported by trivy scanner. Add GOPROXY in Dockerfile and Makefile. Signed-off-by: Xun Jiang <blackpiglet@gmail.com>
|
|
||
| replace ( | ||
| golang.org/x/net => golang.org/x/net v0.0.0-20220906165146-f3363e06e74c | ||
| golang.org/x/text => golang.org/x/text v0.3.8 |
There was a problem hiding this comment.
why not pin to 0.3.8 in the require section?
There was a problem hiding this comment.
@reasonerjt Sometimes the replace is necessary due to embedded/indirect dependencies -- indirect deps might call for specific (older) versions. I haven't verified that it's needed here. The problem with replace CVE fixes is that we tend to forget to remove them later when we really need newer versions than the replace, which means it ends up downgrading instead of upgrading the dep.
There was a problem hiding this comment.
I follow a previous Azure CVE fix PR to use the replace directive instead of require, and I think maybe using replace for indirect refereced module is more intuitive, although require directive should also work here.
I agree. We should at least go through the module file per release. The replace or require would grow out of date by time, then seperating them from the require section into replace is more helpful to distinguish.
Fix CVEs reported by trivy scanner.
Add GOPROXY in Dockerfile and Makefile.
Signed-off-by: Xun Jiang blackpiglet@gmail.com