search

hypertrace / hypertrace-collector

OpenTelemetry collector distribution for Hypertrace platform
6 stars 5 forks source link

feat: upgrade to otel collector v0.90.1 #120

Closed tim-mwangi closed 10 months ago

tim-mwangi commented 10 months ago

Description

Upgrade to otel collector v0.90.1. Hoping it will a vulnerability in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

usr/local/bin/hypertrace/collector (gobinary)
=============================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH     │ fixed  │ v0.45.0           │ 0.46.0        │ opentelemetry-go-contrib: DoS vulnerability in otelgrpc due │
│ rg/grpc/otelgrpc                                             │                │          │        │                   │               │ to unbound cardinality metrics                              │
│                                                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-47108                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Testing

Tested locally. Unit tests still passing.

Checklist:

puneet-traceable commented 10 months ago

I am not sure on what to look for here. I am hoping a lot of it is generated code.

tim-mwangi commented 10 months ago

I am not sure on what to look for here. I am hoping a lot of it is generated code.

Most of it is copied over code from the otel repos with some of our custom changes that we had to make manually eg. passing down the context for the jaeger receiver, span curing for the kafka exporter.