Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade golang.org/x/net from v0.15.0 to v0.17.0 #5448

Merged
merged 2 commits into from
Oct 12, 2023
Merged

Upgrade golang.org/x/net from v0.15.0 to v0.17.0 #5448

merged 2 commits into from
Oct 12, 2023

Conversation

ptodev
Copy link
Contributor

@ptodev ptodev commented Oct 12, 2023

This issue fixes CVE-2023-39325. This is the security report on the main branch, prior to this change:

└─▪ trivy repo https://github.com/grafana/agent --branch main --timeout 20m0s
2023-10-12T12:08:51.568+0100	INFO	Vulnerability scanning is enabled
2023-10-12T12:08:51.568+0100	INFO	Secret scanning is enabled
2023-10-12T12:08:51.568+0100	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-12T12:08:51.568+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
Enumerating objects: 41803, done.
Counting objects: 100% (41803/41803), done.
Compressing objects: 100% (20803/20803), done.
Total 41803 (delta 21196), reused 36780 (delta 17362), pack-reused 0
2023-10-12T12:12:44.916+0100	INFO	Number of language-specific files: 3
2023-10-12T12:12:44.916+0100	INFO	Detecting gomod vulnerabilities...
2023-10-12T12:12:44.921+0100	INFO	Detecting yarn vulnerabilities...

go.mod (gomod)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────────────────────┬────────────────┬──────────┬────────┬─────────────────────────────────────┬───────────────┬──────────────────────────────────────────────┐
│         Library         │ Vulnerability  │ Severity │ Status │          Installed Version          │ Fixed Version │                    Title                     │
├─────────────────────────┼────────────────┼──────────┼────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────┤
│ github.com/grafana/loki │ CVE-2021-36156 │ MEDIUM   │ fixed  │ 1.6.2-0.20231004111112-07cbef92268a │ 2.3.0         │ Path traversal in Grafana Loki               │
│                         │                │          │        │                                     │               │ https://avd.aquasec.com/nvd/cve-2021-36156   │
├─────────────────────────┼────────────────┤          │        ├─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────┤
│ golang.org/x/net        │ CVE-2023-39325 │          │        │ 0.15.0                              │ 0.17.0        │ rapid stream resets can cause excessive work │
│                         │                │          │        │                                     │               │ (CVE-2023-44487)                             │
│                         │                │          │        │                                     │               │ https://avd.aquasec.com/nvd/cve-2023-39325   │
└─────────────────────────┴────────────────┴──────────┴────────┴─────────────────────────────────────┴───────────────┴──────────────────────────────────────────────┘

This is the report after the change:

└─▪ trivy repo https://github.com/grafana/agent --branch ptodev/fix-cve --timeout 20m0s
2023-10-12T12:17:46.591+0100	INFO	Vulnerability scanning is enabled
2023-10-12T12:17:46.591+0100	INFO	Secret scanning is enabled
2023-10-12T12:17:46.591+0100	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-12T12:17:46.591+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
Enumerating objects: 41803, done.
Counting objects: 100% (41803/41803), done.
Compressing objects: 100% (20803/20803), done.
Total 41803 (delta 21196), reused 36780 (delta 17362), pack-reused 0
2023-10-12T12:21:51.215+0100	INFO	Number of language-specific files: 3
2023-10-12T12:21:51.215+0100	INFO	Detecting gomod vulnerabilities...
2023-10-12T12:21:51.216+0100	INFO	Detecting yarn vulnerabilities...

go.mod (gomod)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────────────────┬────────────────┬──────────┬────────┬─────────────────────────────────────┬───────────────┬────────────────────────────────────────────┐
│         Library         │ Vulnerability  │ Severity │ Status │          Installed Version          │ Fixed Version │                   Title                    │
├─────────────────────────┼────────────────┼──────────┼────────┼─────────────────────────────────────┼───────────────┼────────────────────────────────────────────┤
│ github.com/grafana/loki │ CVE-2021-36156 │ MEDIUM   │ fixed  │ 1.6.2-0.20231004111112-07cbef92268a │ 2.3.0         │ Path traversal in Grafana Loki             │
│                         │                │          │        │                                     │               │ https://avd.aquasec.com/nvd/cve-2021-36156 │
└─────────────────────────┴────────────────┴──────────┴────────┴─────────────────────────────────────┴───────────────┴────────────────────────────────────────────┘

I intend to fix CVE-2021-36156 in a separate pull request.

I believe this is a backwards compatible change which is not user facing, so I'm not updating the changelog. As far as I can tell in the "net" package's release tags, the recent changes to it are minor.

@ptodev ptodev requested a review from a team as a code owner October 12, 2023 11:33
mattdurham
mattdurham approved these changes Oct 12, 2023
View reviewed changes
Copy link
Collaborator

@mattdurham mattdurham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@ptodev ptodev merged commit 3efd214 into main Oct 12, 2023
7 checks passed
@ptodev ptodev deleted the ptodev/fix-cve branch October 12, 2023 16:09
@github-actions github-actions bot added the frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed. label Feb 21, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mattdurham mattdurham mattdurham approved these changes

@captncraig captncraig captncraig approved these changes

Assignees
No one assigned
Labels
frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ptodev @captncraig @mattdurham