Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Broken "cloud.google.com/go/compute/metadata" dependency #1555

Merged
merged 4 commits into from
Nov 14, 2023
Merged

Broken "cloud.google.com/go/compute/metadata" dependency #1555

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
74ed0aa
Task:1551 Fix problem with cloud.google.com/go/compute/metadata depen…
Nov 13, 2023
1531230
Task:1551 Update vulnerable dependency
Nov 13, 2023
cc65a70
Task:1551 revert version update that brokes the build
Nov 13, 2023
337924a
Task:1551 Update go.opentelemetry.io/contrib/instrumentation/google.g…
Nov 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .golangci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,3 +297,7 @@ issues:
linters:
- interfacer
text: "`rawSrv` can be `github.com/networkservicemesh/sdk/pkg/networkservice/common/monitor.EventConsumer`"
- path: pkg/tools/tracing/grpcoptions.go
linters:
- staticcheck
text: "SA1019: otelgrpc.*"
44 changes: 22 additions & 22 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ require (
github.com/ghodss/yaml v1.0.0
github.com/golang-jwt/jwt/v4 v4.2.0
github.com/golang/protobuf v1.5.3
github.com/google/go-cmp v0.5.9
github.com/google/go-cmp v0.6.0
github.com/google/uuid v1.3.1
github.com/miekg/dns v1.1.50
github.com/nats-io/nats-streaming-server v0.24.6
Expand All @@ -26,19 +26,19 @@ require (
github.com/sirupsen/logrus v1.9.0
github.com/spiffe/go-spiffe/v2 v2.0.0
github.com/stretchr/testify v1.8.4
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0
go.opentelemetry.io/otel v1.19.0-rc.1
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.42.0-rc.1
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0-rc.1
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0-rc.1
go.opentelemetry.io/otel/exporters/prometheus v0.42.0-rc.1
go.opentelemetry.io/otel/exporters/zipkin v1.19.0-rc.1
go.opentelemetry.io/otel/metric v1.19.0-rc.1
go.opentelemetry.io/otel/sdk v1.19.0-rc.1
go.opentelemetry.io/otel/sdk/metric v1.19.0-rc.1
go.opentelemetry.io/otel/trace v1.19.0-rc.1
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.0
go.opentelemetry.io/otel v1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.43.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This version contains CVE-2023-47108, could you update otel to v0.46.0?

Suggested change
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.43.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.46.0

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you specified the correct dependency? It is the latest one:
Screenshot 2023-11-13 at 16 11 27

Copy link
Contributor Author

@dualBreath dualBreath Nov 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to version v0.46.0. Hope this will solve the problem

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to break the build. I'll revert this change and try to update the version in a separate task.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to version v0.46.0 and disabled linter

go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0
go.opentelemetry.io/otel/exporters/prometheus v0.43.0
go.opentelemetry.io/otel/exporters/zipkin v1.20.0
go.opentelemetry.io/otel/metric v1.20.0
go.opentelemetry.io/otel/sdk v1.20.0
go.opentelemetry.io/otel/sdk/metric v1.20.0
go.opentelemetry.io/otel/trace v1.20.0
go.uber.org/atomic v1.7.0
go.uber.org/goleak v1.2.1
go.uber.org/goleak v1.3.0
golang.org/x/net v0.17.0
gonum.org/v1/gonum v0.6.2
google.golang.org/grpc v1.59.0
Expand All @@ -47,7 +47,7 @@ require (
)

require (
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/compute v1.23.1 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878 // indirect
Expand All @@ -58,7 +58,7 @@ require (
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/fatih/color v1.7.0 // indirect
github.com/go-logr/logr v1.2.4 // indirect
github.com/go-logr/logr v1.3.0 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
Expand All @@ -83,26 +83,26 @@ require (
github.com/nats-io/nuid v1.0.1 // indirect
github.com/openzipkin/zipkin-go v0.4.2 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.16.0 // indirect
github.com/prometheus/client_model v0.4.0 // indirect
github.com/prometheus/common v0.42.0 // indirect
github.com/prometheus/procfs v0.10.1 // indirect
github.com/prometheus/client_golang v1.17.0 // indirect
github.com/prometheus/client_model v0.5.0 // indirect
github.com/prometheus/common v0.44.0 // indirect
github.com/prometheus/procfs v0.11.1 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/yashtewari/glob-intersection v0.1.0 // indirect
github.com/zeebo/errs v1.2.2 // indirect
go.etcd.io/bbolt v1.3.6 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.42.0-rc.1 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/proto/otlp v1.0.0 // indirect
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/mod v0.10.0 // indirect
golang.org/x/sys v0.13.0 // indirect
golang.org/x/sys v0.14.0 // indirect
golang.org/x/text v0.13.0 // indirect
golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
golang.org/x/tools v0.9.3 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 // indirect
gopkg.in/square/go-jose.v2 v2.5.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand Down
Loading
Loading