chore: specify Go patch version 1.22.5 #305

matheusfm · 2024-07-31T13:17:58Z

Description

This PR specifies the Go patch version 1.22.5 to avoid some vulnerabilities.

Before:

trivy image ghcr.io/undistro/zora/operator:v0.9.2
2024-07-31T10:06:56-03:00	INFO	Need to update DB
2024-07-31T10:06:56-03:00	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
50.74 MiB / 50.74 MiB [----------------------------------------------------------------------------------------------------] 100.00% 5.84 MiB p/s 8.9s
2024-07-31T10:07:06-03:00	INFO	Vulnerability scanning is enabled
2024-07-31T10:07:06-03:00	INFO	Secret scanning is enabled
2024-07-31T10:07:06-03:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-31T10:07:06-03:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-07-31T10:07:12-03:00	INFO	Detected OS	family="debian" version="12.5"
2024-07-31T10:07:12-03:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=3
2024-07-31T10:07:12-03:00	INFO	Number of language-specific files	num=1
2024-07-31T10:07:12-03:00	INFO	[gobinary] Detecting vulnerabilities...

ghcr.io/undistro/zora/operator:v0.9.2 (debian 12.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


manager (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                          Title                           │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM   │ fixed  │ v0.21.0           │ 0.23.0          │ golang: net/http, x/net/http2: unlimited number of       │
│                  │                │          │        │                   │                 │ CONTINUATION frames causes DoS                           │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288               │
├──────────────────┼────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-24791 │          │        │ 1.21.11           │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │
│                  │                │          │        │                   │                 │ handling in net/http                                     │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791               │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────┘

Now:

trivy image operator:latest
2024-07-31T10:11:24-03:00       INFO    Vulnerability scanning is enabled
2024-07-31T10:11:24-03:00       INFO    Secret scanning is enabled
2024-07-31T10:11:24-03:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-31T10:11:24-03:00       INFO    Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-07-31T10:11:26-03:00       INFO    Detected OS     family="debian" version="11.7"
2024-07-31T10:11:26-03:00       INFO    [debian] Detecting vulnerabilities...   os_version="11" pkg_num=3
2024-07-31T10:11:26-03:00       INFO    Number of language-specific files       num=1
2024-07-31T10:11:26-03:00       INFO    [gobinary] Detecting vulnerabilities...

operator:latest (debian 11.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Linked Issues

How has this been tested?

Building a docker image make docker-build and scanning with Trivy trivy image operator:latest.
Note that the project was already using Go 1.22.

Checklist

I have labeled this PR with the relevant Type labels
I have documented my code (if applicable)
My changes are covered by tests

knrc

The only change necessary should be to change to go.mod version go 1.22.5, the builder versions are floating tags and should be the latest 1.22 version

matheusfm · 2024-07-31T14:11:19Z

The only change necessary should be to change to go.mod version go 1.22.5, the builder versions are floating tags and should be the latest 1.22 version

Done

chore: specify Go patch version: 1.22.5

21f0678

matheusfm added the dependencies Pull requests that update a dependency file label Jul 31, 2024

matheusfm requested a review from knrc July 31, 2024 13:17

matheusfm self-assigned this Jul 31, 2024

knrc requested changes Jul 31, 2024

View reviewed changes

chore: using floating tags in golang docker image

995d21c

knrc approved these changes Jul 31, 2024

View reviewed changes

matheusfm merged commit 65c0983 into main Jul 31, 2024
4 checks passed

matheusfm deleted the bump-go branch July 31, 2024 15:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: specify Go patch version 1.22.5 #305

chore: specify Go patch version 1.22.5 #305

matheusfm commented Jul 31, 2024

knrc left a comment

matheusfm commented Jul 31, 2024

chore: specify Go patch version 1.22.5 #305

chore: specify Go patch version 1.22.5 #305

Conversation

matheusfm commented Jul 31, 2024

Description

Linked Issues

How has this been tested?

Checklist

knrc left a comment

Choose a reason for hiding this comment

matheusfm commented Jul 31, 2024