Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade indirect dependancy go-libp2p-core to v0.20.1 #1626

Conversation

bsalunke
Copy link
Contributor

@bsalunke bsalunke commented Dec 8, 2022

Upgrade indirect dependancy go-libp2p-core v0.8.6 to go-libp2p-core v0.20.1 to remove indirect dependacy of btcd module which is vulnerable to CVE-2022-44797

What is it fixing
Nerdctl has an indirect dependency module ("github.com/btcsuite/btcd v0.21.0-beta) having vulnerability reported https://nvd.nist.gov/vuln/detail/CVE-2022-44797.

As explained by @AkihiroSuda, it's false positive and nerdctl does not trigger the code path in any way to invoke "btcd" module. The fix provided was VEX set to eliminate #1571

However APIK some of the open source scanner does not support VEX as of today. e.g. aquasecurity/trivy#1836.

Fix
Upgrade indirect dependancy go-libp2p-core v0.8.6 to go-libp2p-core v0.20.1

Please let me know if more information needs to be added.

go.mod Outdated
require (
github.com/AdaLogics/go-fuzz-headers v0.0.0-20221007124625-37f5449ff7df // indirect
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20220912195655-e1f97a00006b // indirect
github.com/Microsoft/hcsshim v0.10.0-rc.1 // indirect
github.com/btcsuite/btcd v0.21.0-beta // indirect
// ↑The `github.com/btcsuite/btcd` line exists for the indirect dependency on `github.com/btcsuite/btcd/btcec` (secp256k1 elliptic curve cryptography library) via `github.com/ipfs/go-ipfs-http-client`.
// https://github.com/btcsuite/btcd/tree/master/btcec
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This note can be now dropped

Copy link
Contributor Author

@bsalunke bsalunke Dec 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AkihiroSuda Updated PR to address review comment. Thanks!

go.mod Outdated
@@ -58,11 +58,16 @@ require (
gotest.tools/v3 v3.4.0
)

require (
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to create another require()

@AkihiroSuda
Copy link
Member

Could you squash the commits? Then LGTM

@bsalunke bsalunke force-pushed the upgrade_indirect_dependancy_module_to_fix_fp_CVE-2022-44797 branch from f405a3e to 0bfc67f Compare December 9, 2022 05:10
@AkihiroSuda
Copy link
Member

Thanks, but please sign the commit for DCO
https://github.com/apps/dco

(run git commit -a -s --amend, and make sure that the Signed-off-by: NAME <EMAIL> line with your real name is included in the commit message)

Signed-off-by: Balasaheb Salunke <bg.salunke09@gmail.com>
@bsalunke bsalunke force-pushed the upgrade_indirect_dependancy_module_to_fix_fp_CVE-2022-44797 branch from 0bfc67f to e2dbab5 Compare December 9, 2022 05:17
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@bsalunke
Copy link
Contributor Author

bsalunke commented Dec 9, 2022

@AkihiroSuda Thank you for help. I see it's marked for v1.1.0. Any rough timeline for v1.1.0 release?

@AkihiroSuda
Copy link
Member

@AkihiroSuda Thank you for help. I see it's marked for v1.1.0. Any rough timeline for v1.1.0 release?

As soon as containerd/accelerated-container-image#155 (comment) is addressed

@AkihiroSuda AkihiroSuda merged commit c2c648c into containerd:main Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants