Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[deps] Upgrading to gRPC 1.60.x with Latest trivy #2

Merged
merged 4 commits into from
Jul 31, 2024
Merged

[deps] Upgrading to gRPC 1.60.x with Latest trivy #2

merged 4 commits into from
Jul 31, 2024

Conversation

onelapahead
Copy link

Removing the trivyignore, go replace, and ran go mod tidy. Hopefully making it so our image scan (not just the SBOM) also passes in the future:

2024-06-19T16:48:43-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
INFO[0534] Pulling 604386504253.dkr.ecr.us-east-2.amazonaws.com/kaleido-fabconnect:20240619-67
INFO[0534] Pull complete for 604386504253.dkr.ecr.us-east-2.amazonaws.com/kaleido-fabconnect:20240619-67
INFO[0534] 🕵️ Scanning kaleido-fabconnect for vulnerabilities
INFO[0536] 2024-06-19T16:48:44-04:00	INFO	Vulnerability scanning is enabled
2024-06-19T16:48:45-04:00	INFO	Detected OS	family="ubuntu" version="22.04"
2024-06-19T16:48:45-04:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="22.04" pkg_num=131
2024-06-19T16:48:45-04:00	INFO	Number of language-specific files	num=2
2024-06-19T16:48:45-04:00	INFO	[gobinary] Detecting vulnerabilities...
2024-06-19T16:48:45-04:00	INFO	[gomod] Detecting vulnerabilities...

604386504253.dkr.ecr.us-east-2.amazonaws.com/kaleido-fabconnect:20240619-67 (ubuntu 22.04)
==========================================================================================
Total: 0 (UNKNOWN: 0, HIGH: 0, CRITICAL: 0)


fabconnect/fabconnect (gobinary)
================================
Total: 1 (UNKNOWN: 0, HIGH: 1, CRITICAL: 0)

┌────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬───────────────────────────────────────────────────┐
│        Library         │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version      │                       Title                       │
├────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼───────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-m425-mq94-257g │ HIGH     │ fixed  │ v1.29.0           │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability          │
│                        │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g │
└────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────┴───────────────────────────────────────────────────┘

go.mod (gomod)
==============
Total: 1 (UNKNOWN: 0, HIGH: 1, CRITICAL: 0)

┌────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬───────────────────────────────────────────────────┐
│        Library         │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version      │                       Title                       │
├────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼───────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-m425-mq94-257g │ HIGH     │ fixed  │ 1.29.0            │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability          │
│                        │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g │
└────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────┴───────────────────────────────────────────────────┘

@onelapahead onelapahead requested a review from a team as a code owner June 19, 2024 21:16
onelapahead
onelapahead commented Jun 19, 2024
View reviewed changes
go.mod Show resolved Hide resolved
EnriqueL8
EnriqueL8 reviewed Jun 20, 2024
View reviewed changes
Copy link

@EnriqueL8 EnriqueL8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a thought that we could keep the trivyignore so that we don't have to update the Dockerfile every time

Dockerfile Show resolved Hide resolved
.trivyignore Show resolved Hide resolved
EnriqueL8
EnriqueL8 reviewed Jun 20, 2024
View reviewed changes
Dockerfile Show resolved Hide resolved
@EnriqueL8
fix other CVEs as well
b2f6670 
Signed-off-by: Enrique Lacal <[email protected]>
@EnriqueL8 EnriqueL8 mentioned this pull request Jul 31, 2024
Closed
EnriqueL8
EnriqueL8 approved these changes Jul 31, 2024
View reviewed changes
Copy link

@EnriqueL8 EnriqueL8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

EnriqueL8 added 2 commits July 31, 2024 10:49
@EnriqueL8
change github workflow
0520583 
Signed-off-by: Enrique Lacal <[email protected]>
@EnriqueL8
update github workflow to use debian
b2eab33 
Signed-off-by: Enrique Lacal <[email protected]>
@EnriqueL8 EnriqueL8 merged commit dbc2ad8 into release-v0.9.20 Jul 31, 2024
2 checks passed
@EnriqueL8 EnriqueL8 deleted the v0.9.20-cve-patches branch July 31, 2024 09:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@EnriqueL8 EnriqueL8 EnriqueL8 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@onelapahead @EnriqueL8