Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trino/467 package update #36043

Merged
merged 1 commit into from
Dec 13, 2024
Merged

trino/467 package update #36043

merged 1 commit into from
Dec 13, 2024

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 7, 2024

@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr labels Dec 7, 2024
@octo-sts octo-sts bot mentioned this pull request Dec 7, 2024
Closed
@mamccorm
Copy link
Member

mamccorm commented Dec 7, 2024

Malcontent scan is currently hanging / aborting, so we can't get a complete build right now to merge this one

@mamccorm mamccorm force-pushed the wolfictl-dfeb3c1c-1085-491c-8a6a-b7c4ea89696b branch from becdc28 to ce5b90d Compare December 7, 2024 19:47
@octo-sts octo-sts bot added the bincapz/blocking Bincapz (aka malcontent) scan results detected CRITICALs on the packages. label Dec 8, 2024
@imjasonh
Copy link
Member

imjasonh commented Dec 8, 2024
edited
Loading

Malcontent scan is currently hanging / aborting, so we can't get a complete build right now to merge this one

Malcontent scans are now completing, even for this huge PR! 🎉

https://github.com/wolfi-dev/os/pull/36043/checks?check_run_id=34093309198

@imjasonh
Copy link
Member

imjasonh commented Dec 8, 2024

Does trino embed pre-built darwin Go binaries?!

├── 📄 /usr/lib/trino/bin/darwin-amd64/launcher
│       📦 stdlib go1.23.0 (go-module)
│           Medium CVE-2024-34155 fixed in 1.22.7, 1.23.1
│           High CVE-2024-34156 fixed in 1.22.7, 1.23.1
│           High CVE-2024-34158 fixed in 1.22.7, 1.23.1
└── 📄 /usr/lib/trino/bin/darwin-arm64/launcher
        📦 stdlib go1.23.0 (go-module)
            Medium CVE-2024-34155 fixed in 1.22.7, 1.23.1
            High CVE-2024-34156 fixed in 1.22.7, 1.23.1
            High CVE-2024-34158 fixed in 1.22.7, 1.23.1

@imjasonh imjasonh added the staging-build If this label is set on a PR, it will be built by elastic-build in staging label Dec 9, 2024
@egibs
Copy link
Member

egibs commented Dec 10, 2024

Spent some time digging into the malcontent findings. As of 466, Trino now uses a Go-based launcher stored in a separate repository: https://github.com/airlift/launcher

The Linux binaries are also compressed with UPX: https://github.com/airlift/launcher/blob/ca880f7bc25cf18b3eebf30b398a63e88cad34de/src/main/go/build.sh#L30-L35

UPX limits our visibility into the launcher binaries, unfortunately.

@egibs egibs added the malcontent/reviewed The malcontent findings in this PR have been manually reviewed by security. label Dec 10, 2024
@mamccorm mamccorm force-pushed the wolfictl-dfeb3c1c-1085-491c-8a6a-b7c4ea89696b branch from 3da4e09 to 9cbf32a Compare December 13, 2024 00:03
@powersj powersj merged commit 52f1760 into main Dec 13, 2024
17 of 20 checks passed
@powersj powersj deleted the wolfictl-dfeb3c1c-1085-491c-8a6a-b7c4ea89696b branch December 13, 2024 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@powersj powersj powersj approved these changes

Assignees
No one assigned
Labels
automated pr bincapz/blocking Bincapz (aka malcontent) scan results detected CRITICALs on the packages. malcontent/reviewed The malcontent findings in this PR have been manually reviewed by security. request-version-update request for a newer version of a package staging-build If this label is set on a PR, it will be built by elastic-build in staging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mamccorm @imjasonh @egibs @powersj @wolfi-bot