zwartho
commented
1 year ago @madhuravius I've updated the go.sum entries. I believe these should allow the build tests to pass. Would you mind re-running the tests? Thank you
Closed zwartho closed 1 year ago
zwartho
commented
1 year ago @madhuravius I've updated the go.sum entries. I believe these should allow the build tests to pass. Would you mind re-running the tests? Thank you
zwartho
commented
1 year ago @UserNotFound @krallin Is there anything else I can do to help GTM before the next release? I've got an SLA for this CVE on 7/29 that I would prefer not to miss.
UserNotFound
commented
1 year ago Hi @zwartho, our security team has reviewed the PR and approved it to help get you going, but if your vulnerability remediation policy requires updating within a specific timeframe, the repository includes build instruction in the Readme, as well as Makefile which you can use to build all of the platform binaries yourself the same as our release process.
Additionally, Prometheus is not core code to Supercronic, and was contributed by a member of the public -- do you use Prometheus? Is there a specific reason you chose prometheus/client_golang v1.15.0, when v1.15.1 and 1.16.0 have been released?
UserNotFound
commented
1 year ago zwartho
commented
1 year ago Thank you @madhuravius and @UserNotFound for getting this merged and released! Our compliance framework is pretty strict, so I appreciate your prompt response. Moving forward, I will be sure to modify my build process so that I can roll out my own remediations for any future vulnerabilities.
Yes, I am looking to explore Prometheus as a monitoring solution for a work-related project. I decided to go with prometheus/client_golang v1.15.0 as this was the minimum version bump required to remediate this specific vulnerability. With hindsight as 20/20, I should have at least used v1.15.1 and most likely could have gotten away with v1.16.0.
Resolves #132