Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updating golang.org/x/text module to v0.3.8 to address trivy vulnerab… #849

Merged
merged 1 commit into from Nov 17, 2022
Merged

updating golang.org/x/text module to v0.3.8 to address trivy vulnerab… #849

merged 1 commit into from Nov 17, 2022

Conversation

xphyr
Copy link
Contributor

@xphyr xphyr commented Nov 17, 2022

Description

Upgrade golang.org/x/text version to v0.3.8 to fix build failure due to Trivy security scan failure.

Relevant issues/tickets

Current builds are failing due to:

Running trivy with options: trivy image  --format table --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity  CRITICAL,HIGH  registry:5000/grafana-operator:sha-21e52787
Global options:  
[20](https://github.com/grafana-operator/grafana-operator/actions/runs/3490358882/jobs/5842435939#step:12:21)22-11-17T17:54:06.748Z	INFO	Need to update DB
2022-11-17T17:54:06.748Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-11-17T17:54:06.748Z	INFO	Downloading DB...
35.03 MiB / 35.03 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.03 MiB / 35.03 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.03 MiB / 35.03 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.03 MiB / 35.03 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.03 MiB / 35.03 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.03 MiB / 35.03 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.03 MiB / 35.03 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.03 MiB / 35.03 MiB [-------------------------------------------------] 100.00% 28.27 MiB p/s 1.4s2022-11-17T17:54:08.593Z	INFO	Vulnerability scanning is enabled
2022-11-17T17:54:08.593Z	INFO	Secret scanning is enabled
2022-11-17T17:54:08.593Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-11-17T17:54:08.593Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2022-11-17T17:54:10.360Z	INFO	Detected OS: redhat
2022-11-17T17:54:10.360Z	INFO	Detecting RHEL/CentOS vulnerabilities...
2022-11-17T17:54:10.365Z	INFO	Number of language-specific files: 1
2022-11-17T17:54:10.365Z	INFO	Detecting gobinary vulnerabilities...

registry:5000/grafana-operator:sha-[21](https://github.com/grafana-operator/grafana-operator/actions/runs/3490358882/jobs/5842435939#step:12:22)e52787 (redhat 8.6)
========================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


manager (gobinary)
==================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                          │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-20[22](https://github.com/grafana-operator/grafana-operator/actions/runs/3490358882/jobs/5842435939#step:12:23)-[32](https://github.com/grafana-operator/grafana-operator/actions/runs/3490358882/jobs/5842435939#step:12:33)149 │ HIGH     │ v0.3.7            │ 0.3.8         │ golang: golang.org/x/text/language: ParseAcceptLanguage │
│                   │                │          │                   │               │ takes a long time to parse complex tags                 │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-32149              │
└───────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • This change requires a documentation update
  • I have added tests that prove my fix is effective or that my feature works
  • I have added a test case that will be used to verify my changes
  • Verified independently on a cluster by reviewer

Verification steps

ran build process locally and built successfully

@xphyr
updating golang.org/x/text module to v0.3.8 to address trivy vulnerab…
ac52c9b 
…ility scanner

Signed-off-by: xphyr <xphyr@users.noreply.github.com>
@NissesSenap NissesSenap merged commit b5e08ac into grafana:master Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NissesSenap NissesSenap NissesSenap approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@xphyr @NissesSenap