Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates to fix grpc and docker CVEs #2878

Merged
merged 3 commits into from
Nov 3, 2023
Merged

Updates to fix grpc and docker CVEs #2878

merged 3 commits into from
Nov 3, 2023

Conversation

dfarrell07
Copy link
Member

See commit messages for details.

@dfarrell07
Update docker to fix GHSA-jq35-85cj-fj4p CVE
8079709 
Update generated by `go get -u github.com/docker/docker`/`go mod tidy`.

This is flagged by the Vulnerability Scanning GHA on the release-0.15
branch for docker v23.0.5 and was fixed in v24.0.7.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
@dfarrell07
Upgrade grpc to fix GHSA-m425-mq94-257g CVE
a468d70 
Update generated by `google.golang.org/grpc`/`go mod tidy`.

This is flagged by the Vulnerability Scanning GHA on the release-0.15
branch for grpc v1.53.0 and was fixed in v1.56.3.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
@dfarrell07 dfarrell07 self-assigned this Nov 2, 2023
@submariner-bot
Copy link
Contributor

🤖 Created branch: z_pr2878/dfarrell07/http_cve2
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

@dfarrell07
Copy link
Member Author

There still an issue with go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.35.1 that I'm not sure how to resolve.

[~/go/src/submariner-io/submariner-operator]$ go get -u go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp                                                                                                         [release-0.15]
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http v0.11.0
go: downloading go.opentelemetry.io/contrib v1.20.0
go: downloading go.opentelemetry.io v0.1.0
go: downloading go.opentelemetry.io/otel v1.19.0
go: downloading go.opentelemetry.io/otel/metric v1.19.0
go: downloading go.opentelemetry.io/otel/trace v1.19.0
go: downloading github.com/go-logr/logr v1.3.0
go: upgraded github.com/go-logr/logr v1.2.3 => v1.3.0
go: upgraded github.com/stretchr/testify v1.8.1 => v1.8.4
go: upgraded go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 => v0.45.0
go: upgraded go.opentelemetry.io/otel v1.11.0 => v1.19.0
go: upgraded go.opentelemetry.io/otel/metric v0.31.0 => v1.19.0
go: upgraded go.opentelemetry.io/otel/trace v1.11.0 => v1.19.0
[~/go/src/submariner-io/submariner-operator]$ go mod tidy                                                                                                                                                                    *[release-0.15]
go: finding module for package go.opentelemetry.io/otel/exporters/otlp/internal/envconfig
go: finding module for package go.opentelemetry.io/otel/exporters/otlp/internal
go: downloading go.opentelemetry.io/otel/exporters/otlp v0.20.1
github.com/submariner-io/submariner-operator imports
	github.com/operator-framework/operator-sdk/cmd/operator-sdk imports
	github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/cli imports
	github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/bundle imports
	github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/bundle/validate imports
	github.com/operator-framework/api/pkg/validation imports
	github.com/operator-framework/api/pkg/validation/internal imports
	k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation imports
	k8s.io/apiserver/pkg/util/webhook imports
	k8s.io/component-base/tracing imports
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc imports
	go.opentelemetry.io/otel/exporters/otlp/internal: module go.opentelemetry.io/otel/exporters/otlp@latest found (v0.20.1), but does not contain package go.opentelemetry.io/otel/exporters/otlp/internal
github.com/submariner-io/submariner-operator imports
	github.com/operator-framework/operator-sdk/cmd/operator-sdk imports
	github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/cli imports
	github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/bundle imports
	github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/bundle/validate imports
	github.com/operator-framework/api/pkg/validation imports
	github.com/operator-framework/api/pkg/validation/internal imports
	k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation imports
	k8s.io/apiserver/pkg/util/webhook imports
	k8s.io/component-base/tracing imports
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc imports
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/otlpconfig imports
	go.opentelemetry.io/otel/exporters/otlp/internal/envconfig: module go.opentelemetry.io/otel/exporters/otlp@latest found (v0.20.1), but does not contain package go.opentelemetry.io/otel/exporters/otlp/internal/envconfig

Same thing if I do go get -u go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.44.0.

@skitt
Copy link
Member

skitt commented Nov 3, 2023

The otel dependencies are a pain to deal with (not through otel’s fault, and there’s been recent work in k/k to improve things, but we’re still left to deal with the fallout — for CVEs which mostly don’t apply to us).

@skitt
Bump opentelemetry dependencies to address CVE-2023-45142
921f3e5 
GHSA-rcjv-mgp8-qvmr identifies
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp as the
vulnerable dependency. Bumping that to v0.44.0 requires bumping
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc too,
along with all their dependencies.

It’s not clear that CVE-2023-45142 actually affects Submariner but
this will appease the scanners.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
@skitt
Copy link
Member

skitt commented Nov 3, 2023

The way to fix this is to look for the first “integration point” in the dependency tree for a given family of dependencies. In

github.com/submariner-io/submariner-operator imports
	github.com/operator-framework/operator-sdk/cmd/operator-sdk imports
	github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/cli imports
	github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/bundle imports
	github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/bundle/validate imports
	github.com/operator-framework/api/pkg/validation imports
	github.com/operator-framework/api/pkg/validation/internal imports
	k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation imports
	k8s.io/apiserver/pkg/util/webhook imports
	k8s.io/component-base/tracing imports
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc imports
	go.opentelemetry.io/otel/exporters/otlp/internal: module go.opentelemetry.io/otel/exporters/otlp@latest found (v0.20.1), but does not contain package go.opentelemetry.io/otel/exporters/otlp/internal

that’s the transition from k8s.io dependencies to go.opentelemetry.io dependencies, which happens with go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. That is also the integration point for the second error.

go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc fixes the dependency tree.

@dfarrell07
Copy link
Member Author

Oh I see you already added the final commit, thanks!

@submariner-bot submariner-bot added the ready-to-test When a PR is ready for full E2E testing label Nov 3, 2023
@tpantelis tpantelis enabled auto-merge (rebase) November 3, 2023 16:38
@tpantelis tpantelis merged commit 981559e into submariner-io:release-0.15 Nov 3, 2023
39 of 42 checks passed
@submariner-bot
Copy link
Contributor

🤖 Closed branches: [z_pr2878/dfarrell07/http_cve2]

@Jaanki Jaanki mentioned this pull request May 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tpantelis tpantelis tpantelis approved these changes

@skitt skitt skitt approved these changes

@Oats87 Oats87 Awaiting requested review from Oats87 Oats87 is a code owner

@sridhargaddam sridhargaddam Awaiting requested review from sridhargaddam sridhargaddam is a code owner

Assignees

@dfarrell07 dfarrell07

Labels
ready-to-test When a PR is ready for full E2E testing security
Projects
No open projects
Submariner 0.17
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dfarrell07 @submariner-bot @skitt @tpantelis