Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump dependencies where Trivy reports high or critical CVEs #147

Merged
merged 8 commits into from
Jan 10, 2023
Merged

Bump dependencies where Trivy reports high or critical CVEs #147

merged 8 commits into from
Jan 10, 2023

Conversation

gcradden
Copy link
Contributor

@gcradden gcradden commented Jan 9, 2023
edited
Loading

Updated go dependencies with CVEs reported by Trivy scanning tool, as discussed in #138. For each dependency I ran go get -u <dependency> and then go mod vendor (as well as any go gets needed to fetch extra packages to be saved in vendor folder, and go build to make sure the project still built). I checked at the end that trivy no longer reported high or critical CVEs.

I had to update containermanager/container_manager_linux.go to work with the changed opencontainers/runc API. I also had to pin google.golang.org/grpc/naming because the package has been removed, as suggested in fullstorydev/grpcurl#237 (comment) and in other bug reports online.

When I run go build, the binary seems to build fine but these warning messages are printed:

# github.com/coreos/etcd/clientv3/balancer/resolver/endpoint
vendor/github.com/coreos/etcd/clientv3/balancer/resolver/endpoint/endpoint.go:114:87: undefined: resolver.BuildOption
vendor/github.com/coreos/etcd/clientv3/balancer/resolver/endpoint/endpoint.go:182:40: undefined: resolver.ResolveNowOption
# github.com/coreos/etcd/clientv3/balancer/picker
vendor/github.com/coreos/etcd/clientv3/balancer/picker/err.go:37:53: undefined: balancer.PickOptions
vendor/github.com/coreos/etcd/clientv3/balancer/picker/roundrobin_balanced.go:55:63: undefined: balancer.PickOptions

This is due to etcd-io/etcd#11931, which it looks like can be resolved by taking a recent go.etcd.io/etcd/client/v3. Unfortunately, the etcd dependency is currently on the go.etcd.io/etcd module as a whole, which it looks like is no longer receiving updates. This dependency is via k8s.io/apiserver. It looks like the minimum version of apiserver that splits out the etcd dependencies (so could take the fix) is 0.22.0, but I didn't want to make a non-patch bump to the k8s dependencies so have left as is.

@evol262
Copy link
Contributor

evol262 commented Jan 9, 2023

May as well do this here also. I'll update the PR. Vendoring k8s components is a, uh, less than fun process, but it makes sense as part of this PR.

@evol262 evol262 mentioned this pull request Jan 9, 2023
Closed
@evol262 evol262 merged commit 31e0d14 into Mirantis:master Jan 10, 2023
@spowelljr spowelljr mentioned this pull request Feb 16, 2023
Closed
@vikramhh vikramhh mentioned this pull request Dec 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gcradden @evol262