Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): bumped dependencies versions to resolve CVEs #13789

Merged
merged 2 commits into from
Aug 7, 2024
Merged

fix(deps): bumped dependencies versions to resolve CVEs #13789

merged 2 commits into from
Aug 7, 2024

Conversation

vlad-diachenko
Copy link
Contributor

What this PR does / why we need it:
upgraded loki-build-image, alpine and azure-sdk-for-go/sdk/azidentity versions to resolve CVE-2023-42364, CVE-2023-42363, CVE-2023-45288, CVE-2024-35255, CVE-2023-42366, CVE-2023-42365, CVE-2024-24790, CVE-2024-24789.

Special notes for your reviewer:

❯ trivy image docker.io/grafana/loki:vlad.diachenko-fix-cves-ca2030b-WIP
2024-08-07T18:59:49+03:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-07T18:59:49+03:00       INFO    [secret] Secret scanning is enabled
2024-08-07T18:59:49+03:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-07T18:59:49+03:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-07T18:59:49+03:00       INFO    Detected OS     family="alpine" version="3.20.2"
2024-08-07T18:59:49+03:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="3.20" pkg_num=20
2024-08-07T18:59:49+03:00       INFO    Number of language-specific files       num=1
2024-08-07T18:59:49+03:00       INFO    [gobinary] Detecting vulnerabilities...

docker.io/grafana/loki:vlad.diachenko-fix-cves-ca2030b-WIP (alpine 3.20.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Checklist

  • Reviewed the CONTRIBUTING.md guide (required)
  • Documentation added
  • Tests updated
  • Title matches the required conventional commits format, see here
    • Note that Promtail is considered to be feature complete, and future development for logs collection will be in Grafana Alloy. As such, feat PRs are unlikely to be accepted unless a case can be made for the feature actually being a bug fix to existing behavior.
  • Changes that require user attention or interaction to upgrade are documented in docs/sources/setup/upgrade/_index.md
  • For Helm chart changes bump the Helm chart version in production/helm/loki/Chart.yaml and update production/helm/loki/CHANGELOG.md and production/helm/loki/README.md. Example PR
  • If the change is deprecating or removing a configuration option, update the deprecated-config.yaml and deleted-config.yaml files respectively in the tools/deprecated-config-checker directory. Example PR

@vlad-diachenko vlad-diachenko requested review from periklis, xperimental and a team as code owners August 7, 2024 16:00
@vlad-diachenko vlad-diachenko force-pushed the vlad.diachenko/fix-cves branch from 8794e47 to ee221a4 Compare August 7, 2024 16:03
@vlad-diachenko vlad-diachenko force-pushed the vlad.diachenko/fix-cves branch from ee221a4 to eb02637 Compare August 7, 2024 16:23
@vlad-diachenko vlad-diachenko merged commit 34206cd into release-3.1.x Aug 7, 2024
69 checks passed
@vlad-diachenko vlad-diachenko deleted the vlad.diachenko/fix-cves branch August 7, 2024 18:30
@grafanabot
Copy link
Collaborator

The backport to release-2.9.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-13789-to-release-2.9.x origin/release-2.9.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x 34206cd2d6290566034710ae6c2d08af8804bc91

When the conflicts are resolved, stage and commit the changes:

git add . && git cherry-pick --continue

If you have the GitHub CLI installed:

# Push the branch to GitHub:
git push --set-upstream origin backport-13789-to-release-2.9.x
# Create the PR body template
PR_BODY=$(gh pr view 13789 --json body --template 'Backport 34206cd2d6290566034710ae6c2d08af8804bc91 from #13789{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Create the PR on GitHub
echo "${PR_BODY}" | gh pr create --title 'chore: [release-2.9.x] fix(deps): bumped dependencies versions to resolve CVEs' --body-file - --label 'size/L' --label 'sig/operator' --label 'area/helm' --label 'product-approved' --label 'backport' --base release-2.9.x --milestone release-2.9.x --web

Or, if you don't have the GitHub CLI installed (we recommend you install it!):

# Push the branch to GitHub:
git push --set-upstream origin backport-13789-to-release-2.9.x

# Create a pull request where the `base` branch is `release-2.9.x` and the `compare`/`head` branch is `backport-13789-to-release-2.9.x`.

# Remove the local backport branch
git switch main
git branch -D backport-13789-to-release-2.9.x

@grafanabot
Copy link
Collaborator

The backport to release-3.0.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-13789-to-release-3.0.x origin/release-3.0.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x 34206cd2d6290566034710ae6c2d08af8804bc91

When the conflicts are resolved, stage and commit the changes:

git add . && git cherry-pick --continue

If you have the GitHub CLI installed:

# Push the branch to GitHub:
git push --set-upstream origin backport-13789-to-release-3.0.x
# Create the PR body template
PR_BODY=$(gh pr view 13789 --json body --template 'Backport 34206cd2d6290566034710ae6c2d08af8804bc91 from #13789{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Create the PR on GitHub
echo "${PR_BODY}" | gh pr create --title 'chore: [release-3.0.x] fix(deps): bumped dependencies versions to resolve CVEs' --body-file - --label 'size/L' --label 'sig/operator' --label 'area/helm' --label 'product-approved' --label 'backport' --base release-3.0.x --milestone release-3.0.x --web

Or, if you don't have the GitHub CLI installed (we recommend you install it!):

# Push the branch to GitHub:
git push --set-upstream origin backport-13789-to-release-3.0.x

# Create a pull request where the `base` branch is `release-3.0.x` and the `compare`/`head` branch is `backport-13789-to-release-3.0.x`.

# Remove the local backport branch
git switch main
git branch -D backport-13789-to-release-3.0.x

This was referenced Aug 8, 2024
Closed
Merged
@grafanabot grafanabot mentioned this pull request Aug 8, 2024
Merged
@bpfoster bpfoster mentioned this pull request Sep 4, 2024
Closed
@loki-gh-app loki-gh-app bot mentioned this pull request Oct 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paul1r paul1r paul1r approved these changes

@periklis periklis Awaiting requested review from periklis periklis is a code owner

@xperimental xperimental Awaiting requested review from xperimental xperimental is a code owner

Assignees
No one assigned
Labels
area/helm backport release-2.9.x backport release-3.0.x backport-failed product-approved sig/operator size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vlad-diachenko @grafanabot @paul1r