Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Go libraries to resolve security issues #2094

Merged
merged 1 commit into from
Jan 24, 2023

Conversation

tenzen-y
Copy link
Member

Signed-off-by: Yuki Iwai yuki.iwai.tz@gmail.com

What this PR does / why we need it:
I upgraded some Go libraries to resolve security issues.

$ trivy image --severity CRITICAL,HIGH --ignore-unfixed kubeflowkatib/katib-controller
2023-01-24T19:05:03.839+0900	INFO	Need to update DB
2023-01-24T19:05:03.839+0900	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-01-24T19:05:03.839+0900	INFO	Downloading DB...
36.14 MiB / 36.14 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 17.14 MiB p/s 2.3s
2023-01-24T19:05:08.165+0900	INFO	Vulnerability scanning is enabled
2023-01-24T19:05:08.165+0900	INFO	Secret scanning is enabled
2023-01-24T19:05:08.165+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-24T19:05:08.165+0900	INFO	Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection
2023-01-24T19:05:12.804+0900	INFO	Detected OS: alpine
2023-01-24T19:05:12.804+0900	INFO	Detecting Alpine vulnerabilities...
2023-01-24T19:05:12.805+0900	INFO	Number of language-specific files: 1
2023-01-24T19:05:12.805+0900	INFO	Detecting gobinary vulnerabilities...

kubeflowkatib/katib-controller (alpine 3.15.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


app/katib-controller (gobinary)

Total: 3 (HIGH: 3, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬────────────────────────────────────┬─────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │         Installed Version          │            Fixed Version            │                            Title                            │
├───────────────────┼────────────────┼──────────┼────────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net  │ CVE-2022-27664 │ HIGH     │ v0.0.0-20220722155237-a158d28d115b │ 0.0.0-20220906165146-f3363e06e74c   │ golang: net/http: handle server errors after sending GOAWAY │
│                   │                │          │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-27664                  │
│                   ├────────────────┤          │                                    ├─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-41721 │          │                                    │ 0.1.1-0.20221104162952-702349b0e862 │ A request smuggling attack is possible when using           │
│                   │                │          │                                    │                                     │ MaxBytesHandler. Whe ...                                    │
│                   │                │          │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-41721                  │
├───────────────────┼────────────────┤          ├────────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │          │ v0.3.7                             │ 0.3.8                               │ golang: golang.org/x/text/language: ParseAcceptLanguage     │
│                   │                │          │                                    │                                     │ takes a long time to parse complex tags                     │
│                   │                │          │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-32149                  │
└───────────────────┴────────────────┴──────────┴────────────────────────────────────┴─────────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Checklist:

  • Docs included if any changes are user facing

@tenzen-y tenzen-y changed the title Upgrade Go libraies to resolve security issues Upgrade Go libraries to resolve security issues Jan 24, 2023
Signed-off-by: Yuki Iwai <yuki.iwai.tz@gmail.com>
@tenzen-y
Copy link
Member Author

/assign @johnugeorge @andreyvelich

Copy link
Member

@andreyvelich andreyvelich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for updating this @tenzen-y!
/lgtm
/approve

@google-oss-prow google-oss-prow bot added the lgtm label Jan 24, 2023
@google-oss-prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andreyvelich, tenzen-y

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [andreyvelich,tenzen-y]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 5f40e12 into kubeflow:master Jan 24, 2023
@tenzen-y tenzen-y deleted the upgrade-go-library branch January 24, 2023 17:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants