Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVEs on the main branch by upgrading dependencies #6980

Merged
merged 1 commit into from
Jul 18, 2024
Merged

Conversation

ptodev
Copy link
Contributor

@ptodev ptodev commented Jul 15, 2024

This PR upgrades a few packages which should fix all CVEs reported by Trivy except for the Loki one:

Trivy scan on main
└─▪ trivy image grafana/agent:main
2024-07-15T17:04:33+01:00	INFO	Need to update DB
2024-07-15T17:04:33+01:00	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
49.74 MiB / 49.74 MiB [----------------------------------------------------] 100.00% 14.11 MiB p/s 3.7s
2024-07-15T17:04:38+01:00	INFO	Vulnerability scanning is enabled
2024-07-15T17:04:38+01:00	INFO	Secret scanning is enabled
2024-07-15T17:04:38+01:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T17:04:38+01:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-07-15T17:04:44+01:00	INFO	Detected OS	family="ubuntu" version="23.10"
2024-07-15T17:04:44+01:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="23.10" pkg_num=97
2024-07-15T17:04:44+01:00	INFO	Number of language-specific files	num=1
2024-07-15T17:04:44+01:00	INFO	[gobinary] Detecting vulnerabilities...
2024-07-15T17:04:44+01:00	WARN	This OS version is no longer supported by the distribution	family="ubuntu" version="23.10"
2024-07-15T17:04:44+01:00	WARN	The vulnerability detection may be insufficient because security updates are not provided

grafana/agent:main (ubuntu 23.10)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/grafana-agent (gobinary)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 3, CRITICAL: 1)

┌────────────────────────────────────────┬─────────────────────┬──────────┬────────┬──────────────────────────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│                Library                 │    Vulnerability    │ Severity │ Status │          Installed Version           │  Fixed Version  │                            Title                             │
├────────────────────────────────────────┼─────────────────────┼──────────┼────────┼──────────────────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/grafana/loki                │ CVE-2021-36156      │ MEDIUM   │ fixed  │ v1.6.2-0.20240510183741-cef4c2826b4b │ 2.3.0           │ loki: Path traversal in Grafana Loki                         │
│                                        │                     │          │        │                                      │                 │ https://avd.aquasec.com/nvd/cve-2021-36156                   │
├────────────────────────────────────────┼─────────────────────┼──────────┤        ├──────────────────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/mostynb/go-grpc-compression │ GHSA-87m9-rv8p-rgmg │ HIGH     │        │ v1.2.2                               │ 1.2.3           │ go-grpc-compression has a zstd decompression bombing         │
│                                        │                     │          │        │                                      │                 │ vulnerability                                                │
│                                        │                     │          │        │                                      │                 │ https://github.com/advisories/GHSA-87m9-rv8p-rgmg            │
├────────────────────────────────────────┼─────────────────────┼──────────┤        ├──────────────────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/rs/cors                     │ GHSA-mh55-gqvf-xfwm │ MEDIUM   │        │ v1.10.1                              │ 1.11.0          │ Denial of service via malicious preflight requests in        │
│                                        │                     │          │        │                                      │                 │ github.com/rs/cors                                           │
│                                        │                     │          │        │                                      │                 │ https://github.com/advisories/GHSA-mh55-gqvf-xfwm            │
├────────────────────────────────────────┼─────────────────────┼──────────┤        ├──────────────────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                                 │ CVE-2024-24790      │ CRITICAL │        │ 1.22.1                               │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│                                        │                     │          │        │                                      │                 │ IPv4-mapped IPv6 addresses                                   │
│                                        │                     │          │        │                                      │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│                                        ├─────────────────────┼──────────┤        │                                      ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                        │ CVE-2023-45288      │ HIGH     │        │                                      │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│                                        │                     │          │        │                                      │                 │ CONTINUATION frames causes DoS                               │
│                                        │                     │          │        │                                      │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                                        ├─────────────────────┤          │        │                                      ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                        │ CVE-2024-24788      │          │        │                                      │ 1.22.3          │ golang: net: malformed DNS message can cause infinite loop   │
│                                        │                     │          │        │                                      │                 │ https://avd.aquasec.com/nvd/cve-2024-24788                   │
│                                        ├─────────────────────┼──────────┤        │                                      ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                        │ CVE-2024-24789      │ MEDIUM   │        │                                      │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│                                        │                     │          │        │                                      │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
│                                        ├─────────────────────┤          │        │                                      ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                        │ CVE-2024-24791      │          │        │                                      │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue     │
│                                        │                     │          │        │                                      │                 │ handling in net/http                                         │
│                                        │                     │          │        │                                      │                 │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
└────────────────────────────────────────┴─────────────────────┴──────────┴────────┴──────────────────────────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

I think the Loki CVE is probably not a real threat - I suspect that Trivy is getting confused due to the fact that we import loki in our go.mod by selecting a specific commit:

github.com/grafana/loki v1.6.2-0.20240510183741-cef4c2826b4b // k190 branch

I'll double check this later.

I suppose there is no point listing the CVEs in the changelog... we don't normally do this.

Copy link
Contributor

@wildum wildum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking care of this :) There are a few other files to update because of the Go update (integration tests, build image). See https://github.com/grafana/alloy/pull/1256/files#diff-dd2c0eb6ea5cfc6c4bd4eac30934e2d5746747af48fef6da689e85b752f39557

@ptodev ptodev merged commit 65364f2 into main Jul 18, 2024
10 checks passed
@ptodev ptodev deleted the ptodev/fix-cves branch July 18, 2024 12:54
@github-actions github-actions bot added the frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed. label Aug 18, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants