Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(sec): fix vulns by bumping pkgs to patched ver #6060

Merged
merged 3 commits into from
Jan 8, 2024

Conversation

hainenber
Copy link
Contributor

PR Description

  • Fixes GO-2023-2409 by bumping github.com/burningalchemist/sql_exporter and github.com/snowflakedb/gosnowflake to master branch to get rid of go-jose/v1.5.0 in go.sum
  • Fixes GO-2023-2412 by bumping github.com/containerd/containerd to v1.7.11
  • Fixes CVE-2023-49568 by bumping github.com/go-git/go-git/v5 to v5.11.0

Which issue(s) this PR fixes

Notes to the Reviewer

PR Checklist

  • CHANGELOG.md updated

Sorry, something went wrong.

Signed-off-by: hainenber <dotronghai96@gmail.com>
Signed-off-by: hainenber <dotronghai96@gmail.com>
Signed-off-by: hainenber <dotronghai96@gmail.com>
@ptodev ptodev self-assigned this Jan 8, 2024
@ptodev
Copy link
Contributor

ptodev commented Jan 8, 2024

Hi, @hainenber, thank you for the PR! How did you find those vulnerabilities? I tried a command like this just now:

trivy --scanners vuln image grafana/agent:main

I see CVE-2023-49568 listed there, but not the other two vulnerabilities which you mentioned. Did you use a different vulnerability scanner?

@hainenber
Copy link
Contributor Author

It's the scanner used by folks at deps.dev :D

For the agent, it's here

@ptodev ptodev merged commit c30cae4 into grafana:main Jan 8, 2024
10 checks passed
@hainenber hainenber deleted the remdiate-reported-vulns branch January 9, 2024 14:20
marctc pushed a commit that referenced this pull request Jan 19, 2024
* chore(sec): fix vulns by bumping pkgs to patched ver

Signed-off-by: hainenber <dotronghai96@gmail.com>

* chore(doc): add CHANGELOG entry

Signed-off-by: hainenber <dotronghai96@gmail.com>

* fix(ci): accomodate func signature change

Signed-off-by: hainenber <dotronghai96@gmail.com>

---------

Signed-off-by: hainenber <dotronghai96@gmail.com>
marctc added a commit that referenced this pull request Jan 19, 2024
* add nsis check for environment var (#6185)

* add nsis check for environment var

* add changelog

* chore(sec): fix vulns by bumping pkgs to patched ver (#6060)

* chore(sec): fix vulns by bumping pkgs to patched ver

Signed-off-by: hainenber <dotronghai96@gmail.com>

* chore(doc): add CHANGELOG entry

Signed-off-by: hainenber <dotronghai96@gmail.com>

* fix(ci): accomodate func signature change

Signed-off-by: hainenber <dotronghai96@gmail.com>

---------

Signed-off-by: hainenber <dotronghai96@gmail.com>

---------

Signed-off-by: hainenber <dotronghai96@gmail.com>
Co-authored-by: mattdurham <mattdurham@ppog.org>
Co-authored-by: Đỗ Trọng Hải <41283691+hainenber@users.noreply.github.com>
BarunKGP pushed a commit to BarunKGP/grafana-agent that referenced this pull request Feb 20, 2024
* chore(sec): fix vulns by bumping pkgs to patched ver

Signed-off-by: hainenber <dotronghai96@gmail.com>

* chore(doc): add CHANGELOG entry

Signed-off-by: hainenber <dotronghai96@gmail.com>

* fix(ci): accomodate func signature change

Signed-off-by: hainenber <dotronghai96@gmail.com>

---------

Signed-off-by: hainenber <dotronghai96@gmail.com>
@github-actions github-actions bot added the frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed. label Feb 21, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants