Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security fixes #966

Merged
merged 11 commits into from Aug 30, 2022
Merged

security fixes #966

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
08db653
upgrade go-kit/kit
TheoBrigitte Aug 8, 2022
038578f
upgrade getsentry/sentry-go
TheoBrigitte Aug 8, 2022
a1a94d6
change getsentry/sentry-go to github.com/zendesk/sentry-go@catkins/up…
TheoBrigitte Aug 8, 2022
e4866bb
sentry-go fixes CVE-2021-23772
TheoBrigitte Aug 8, 2022
8809a9d
remove .nancy-ignore entries
TheoBrigitte Aug 8, 2022
eacc70c
add sentry-go comment
TheoBrigitte Aug 9, 2022
a501df2
upgrade go-kit to master
TheoBrigitte Aug 9, 2022
b2709fd
go mod tidy
TheoBrigitte Aug 9, 2022
6fab548
upgrade github.com/getsentry/sentry-go to master (33f7b69)
TheoBrigitte Aug 30, 2022
63fb556
go mod tidy
TheoBrigitte Aug 30, 2022
ed9f19e
Merge remote-tracking branch 'origin/master' into security-fixes
TheoBrigitte Aug 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
32 changes: 0 additions & 32 deletions .nancy-ignore
View file
Open in desktop
Expand Up @@ -21,42 +21,10 @@ CVE-2022-24687 until=2022-11-01
CVE-2022-29153 until=2022-11-01
CVE-2022-24687 until=2022-11-01

# pkg:golang/github.com/kataras/iris/v12@v12.1.8
# imported from: github.com/giantswarm/operatorkit/v7@v7.0.1
CVE-2021-23772 until=2022-11-01

# pkg:golang/github.com/microcosm-cc/bluemonday@v1.0.2
# imported from: github.com/giantswarm/operatorkit/v7@v7.0.1
CVE-2021-42576 until=2022-11-01

# pkg:golang/github.com/nats-io/jwt@v0.3.0
# imported from:
# - github.com/giantswarm/operatorkit/v7@v7.0.1
# - github.com/giantswarm/exporterkit@v1.0.0
# - github.com/giantswarm/microendpoint@v1.0.0
# - github.com/giantswarm/microkit@v1.0.0
CVE-2020-26892 until=2022-11-01
CVE-2021-3127 until=2022-11-01

# pkg:golang/github.com/nats-io/nats-server/v2@v2.5.0
# imported from:
# - github.com/giantswarm/operatorkit/v7@v7.0.1
# - github.com/giantswarm/exporterkit@v1.0.0
# - github.com/giantswarm/microendpoint@v1.0.0
# - github.com/giantswarm/microkit@v1.0.0
CVE-2022-24450 until=2022-11-01
CVE-2022-29946 until=2022-11-01
CVE-2022-26652 until=2022-11-01
CVE-2022-28357 until=2022-11-01

# pkg:golang/github.com/urfave/negroni@v1.0.0
# imported from: github.com/giantswarm/operatorkit/v7@v7.0.1
sonatype-2021-1485 until=2022-11-01

# pkg:golang/github.com/valyala/fasthttp@v1.6.0
# imported from: github.com/giantswarm/operatorkit/v7@v7.0.1
CVE-2022-21221 until=2022-11-01

# pkg:golang/go.mongodb.org/mongo-driver@v1.1.2
# imported from:
# - github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring@v0.52.1
Expand Down
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Expand Up @@ -11,6 +11,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Add service priority as a tag in opsgenie alerts.

### Fixed

- Upgrade go-kit/kit to fix CVE-2022-24450 and CVE-2022-29946.
- Upgrade getsentry/sentry-go to fix CVE-2021-23772, CVE-2021-42576, CVE-2020-26892, and CVE-2021-3127.

## [4.3.0] - 2022-08-02

### Fixed
Expand Down
70 changes: 38 additions & 32 deletions go.mod
View file
Open in desktop
Expand Up @@ -17,7 +17,7 @@ require (
github.com/prometheus-operator/prometheus-operator/pkg/client v0.52.1
github.com/sirupsen/logrus v1.8.1
github.com/spf13/viper v1.11.0
golang.org/x/net v0.0.0-20220524220425-1d687d428aca
golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48
k8s.io/api v0.22.3
k8s.io/apiextensions-apiserver v0.22.3
k8s.io/apimachinery v0.22.3
Expand All @@ -29,23 +29,8 @@ require (
)

require (
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/go-kit/log v0.2.0 // indirect
github.com/gobuffalo/flect v0.2.3 // indirect
github.com/hashicorp/golang-lru v0.5.4 // indirect
github.com/onsi/gomega v1.16.0 // indirect
github.com/pelletier/go-toml/v2 v2.0.1 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_golang v1.12.1 // indirect
github.com/prometheus/common v0.32.1 // indirect
golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
)

require (
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/cenkalti/backoff/v4 v4.1.2 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/coreos/go-semver v0.3.0 // indirect
Expand All @@ -55,12 +40,13 @@ require (
github.com/getsentry/sentry-go v0.12.0 // indirect
github.com/giantswarm/backoff v1.0.0 // indirect
github.com/giantswarm/exporterkit v1.0.0 // indirect
github.com/giantswarm/k8sclient/v7 v7.0.1
github.com/giantswarm/to v0.4.0 // indirect
github.com/go-kit/kit v0.12.0 // indirect
github.com/go-kit/log v0.2.0 // indirect
github.com/go-logfmt/logfmt v0.5.1 // indirect
github.com/go-logr/logr v0.4.0 // indirect
github.com/go-stack/stack v1.8.1 // indirect
github.com/gobuffalo/flect v0.2.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.2 // indirect
Expand All @@ -70,52 +56,72 @@ require (
github.com/gorilla/mux v1.8.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-retryablehttp v0.5.3 // indirect
github.com/hashicorp/golang-lru v0.5.4 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/huandu/xstrings v1.3.2 // indirect
github.com/imdario/mergo v0.3.12 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/magiconair/properties v1.8.6 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/onsi/ginkgo v1.16.5 // indirect
github.com/onsi/gomega v1.18.1 // indirect
github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pelletier/go-toml/v2 v2.0.1 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_golang v1.12.1 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
github.com/spf13/afero v1.8.2 // indirect
github.com/spf13/cast v1.5.0 // indirect
github.com/spf13/cobra v1.3.0 // indirect
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/subosito/gotenv v1.3.0 // indirect
golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898 // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
github.com/stretchr/testify v1.7.5 // indirect
golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.28.0 // indirect
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.66.4 // indirect
gopkg.in/ini.v1 v1.66.6 // indirect
gopkg.in/resty.v1 v1.12.0 // indirect
gopkg.in/yaml.v3 v3.0.0 // indirect
k8s.io/component-base v0.22.3 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.10.0 // indirect
k8s.io/kube-openapi v0.0.0-20211110013926-83f114cd0513 // indirect
k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
)

require (
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
github.com/giantswarm/k8sclient/v7 v7.0.1
github.com/huandu/xstrings v1.3.2 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/spf13/cast v1.5.0 // indirect
github.com/subosito/gotenv v1.3.0 // indirect
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
golang.org/x/sys v0.0.0-20220804214406-8e32c043e418 // indirect
gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
k8s.io/component-base v0.22.3 // indirect
)

replace (
github.com/coreos/etcd v3.3.10+incompatible => github.com/coreos/etcd v3.3.25+incompatible
github.com/coreos/etcd v3.3.13+incompatible => github.com/coreos/etcd v3.3.25+incompatible
github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt v3.2.1+incompatible
github.com/getsentry/sentry-go v0.12.0 => github.com/TheoBrigitte/sentry-go v0.0.0-20220808140748-011d8f311d4d
// See https://github.com/go-kit/kit/issues/1236
github.com/go-kit/kit v0.12.0 => github.com/denopink/kit v0.12.1-0.20220627203124-bf7670fb98e5
github.com/gorilla/websocket => github.com/gorilla/websocket v1.4.2
// NOTE: we need to stay on k8s v1.19 as some installations still run v1.18.
k8s.io/api => k8s.io/api v0.19.16
Expand Down