Skip to content

[Snyk] Security upgrade alpine from 3.7 to 3.19 #1630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2,311 commits into from

Conversation

caniszczyk
Copy link
Contributor

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to fix 1 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

  • vendor/github.com/jaypipes/ghw/Dockerfile

We recommend upgrading to alpine:3.19, as this image has only 0 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
critical severity Out-of-bounds Write
SNYK-ALPINE37-MUSL-458286
  714  
critical severity Out-of-bounds Write
SNYK-ALPINE37-MUSL-458286
  714  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

maryamtahhan and others added 30 commits May 8, 2024 09:15
Signed-off-by: Maryam Tahhan <mtahhan@redhat.com>
Go 1.20 is end of support. Go 1.22 is not packaged
in UBI tooling yet. Update to Go 1.21 instead.

Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
Signed-off-by: Vimal Kumar <vimal78@gmail.com>
Signed-off-by: Kaiyi <kaiyiliu21@gmail.com>
use `$__rate_interval` in intel-pcm dashboard
Signed-off-by: Maryam Tahhan <mtahhan@redhat.com>

Signed-off-by: Maryam Tahhan <mtahhan@redhat.com>
chore(bpfassets): Remove BCC
Signed-off-by: sustainable-computing-bot <bot@sustainable-computing.io>
Dockerfile: update libbpf-source linux version
Signed-off-by: sustainable-computing-bot <bot@sustainable-computing.io>
This commit:
* Adds panels to highlight the degree of regression
  between dev and latest version.
* Adds panel for visualizing more info related to Node
  and process like Core, Package, Dram, Other, CPU cycles,
  CPU miss and BPF CPU time.

Signed-off-by: Vibhu Prashar <vibhu.sharma2929@gmail.com>
dashboard(dev-compose): improve dev dashboard
* fix(bpf): Fix issue introduced with bpf refactor

This fixes a few issues identified with the bpf code
format and refactor.

1. Zero initialize all variables
2. Use the bpf_perf_event_read_value helper exlusively

In addition, add some logging around eBPF array resizing.

Fixes: #1402 #1411

Signed-off-by: Dave Tucker <dave@dtucker.co.uk>

* fix(bpf): Incorrect map size for processes and pid_time

Signed-off-by: Dave Tucker <dave@dtucker.co.uk>

---------

Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
For local development the instructions suggest running:

./_output/bin/linux_amd64/kepler

This checks for the bytecode in /var/lib/kepler/bpfassets
However, for local development this directory doesn't exist.

The fallback was to look in ../../../bpfassets/libbpf/bpf.o
Running the recommended command was causing kepler to look in
strange locations (i.e /bpfassets) for bytecode.

This PR fixes the lookup for local development to use a glob
pattern starting at the current directory. This works well
for local development, with the added bonus of making it easier
to test kepler builds on remote systems since you can also
copy the binary and bytecode files together, without having
to place the bytecode in a special path.

Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
Signed-off-by: Sunil Thaha <sthaha@redhat.com>
* chore: bump up go to 1.21

Signed-off-by: Sunil Thaha <sthaha@redhat.com>

* chore: bump up libbpfgo to 0.6.0

Signed-off-by: Sunil Thaha <sthaha@redhat.com>

* ci: bump up golangci-lint

Signed-off-by: Sunil Thaha <sthaha@redhat.com>

* fix: golangci-lint for str len check

Signed-off-by: Sunil Thaha <sthaha@redhat.com>

---------

Signed-off-by: Sunil Thaha <sthaha@redhat.com>
Signed-off-by: sustainable-computing-bot <bot@sustainable-computing.io>
Signed-off-by: Huamin Chen <hchen@redhat.com>
Signed-off-by: Huamin Chen <hchen@redhat.com>
Signed-off-by: Huamin Chen <hchen@redhat.com>
Signed-off-by: Huamin Chen <hchen@redhat.com>
Signed-off-by: Huamin Chen <hchen@redhat.com>
Signed-off-by: Huamin Chen <hchen@redhat.com>
Signed-off-by: Huamin Chen <hchen@redhat.com>
Signed-off-by: Sunil Thaha <sthaha@redhat.com>
Signed-off-by: Kaiyi <kaiyiliu21@gmail.com>
…ual queries

Signed-off-by: Kaiyi <kaiyiliu21@gmail.com>
Signed-off-by: Kaiyi <kaiyiliu21@gmail.com>
dave-tucker and others added 23 commits July 12, 2024 11:05
This commit adds a more comprehensive eBPF test suite.
Currently it tests the operation of a number of key functions
within the eBPF code - for example the main sched_switch
tracepoint that we run. In addition, it runs a number
of micro benchmarks so we can track performance of these
key pieces of code.

Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
test(bpf): Add eBPF Test Suite
This commit addresses and resolves various linting issues in the validator module
Additionally, it includes the following improvements:

- Add a new make target to run the linter.
- Add `__init__.py` to the `tests/validator` directory
  to resolve the linting issue: implicit-namespace-package (INP001).
- Suppress certain linting issues that are intentional or not applicable in our context.

Signed-off-by: vprashar2929 <vprashar@redhat.com>
Refactor pkg/sensors/accelerator to use a more generic device
abstractions that different devices can plug into.

Signed-off-by: Maryam Tahhan <mtahhan@redhat.com>
Signed-off-by: Maryam Tahhan <mtahhan@redhat.com>
fix(validator): resolve linting issues
This commit allows grafana to be accessed without logging in as
admin user. It also solves the nagging change password issue.

Signed-off-by: Sunil Thaha <sthaha@redhat.com>
Signed-off-by: Maryam Tahhan <mtahhan@redhat.com>
Bumps the go-dependencies group with 1 update: [github.com/prometheus/prometheus](https://github.com/prometheus/prometheus).


Updates `github.com/prometheus/prometheus` from 0.53.0 to 0.53.1
- [Release notes](https://github.com/prometheus/prometheus/releases)
- [Changelog](https://github.com/prometheus/prometheus/blob/main/CHANGELOG.md)
- [Commits](prometheus/prometheus@v0.53.0...v0.53.1)

---
updated-dependencies:
- dependency-name: github.com/prometheus/prometheus
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
…modules/go-dependencies-d988561a6c

build(deps): bump github.com/prometheus/prometheus from 0.53.0 to 0.53.1 in the go-dependencies group
chore(compose/grafana): allow anonymous login with admin role
This commit improves the README with detailed instructions on how to set up
and run the Docker Compose for VM validations. Additionally, it updates the
steps required to launch the validator tool

Signed-off-by: vprashar2929 <vibhu.sharma2929@gmail.com>
docs(validator): update the documentation for running the validator
Signed-off-by: Vimal Kumar <vimal78@gmail.com>
Signed-off-by: Vimal Kumar <vimal78@gmail.com>
feat: Add mock-acpi validation to validator
Added image signing to workflow using cosign.  Signs images with
GitHub OIDC token, and permissions updated and restricted to
reflect this.

Signed-off-by: Arthur Savage <arthursavage47@gmail.com>
Bumps the go-dependencies group with 3 updates: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) and [k8s.io/client-go](https://github.com/kubernetes/client-go).


Updates `k8s.io/api` from 0.29.6 to 0.29.7
- [Commits](kubernetes/api@v0.29.6...v0.29.7)

Updates `k8s.io/apimachinery` from 0.29.6 to 0.29.7
- [Commits](kubernetes/apimachinery@v0.29.6...v0.29.7)

Updates `k8s.io/client-go` from 0.29.6 to 0.29.7
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.29.6...v0.29.7)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
…modules/go-dependencies-08a97c52c3

build(deps): bump the go-dependencies group with 3 updates
ci: sign image builds (fixing security issue)
Copy link
Contributor

github-actions bot commented Jul 23, 2024

🤖 SeineSailor

I apologize, but since you've only provided a single changeset with no actual changes listed, I'm unable to generate a concise summary of the pull request changes. Please provide the complete list of changesets, and I'll be happy to assist you in summarizing the key modifications and their impact on the codebase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.