jdstrand
commented
4 months ago I can confirm that influxdb 2.7.5 has logrus 1.9.0 listed:
$ go version -m ./usr/bin/influxd |grep logrus
dep github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=go.mod lists it as an indirect dependency and we don't have code that is directly using it. AFAICS, this is coming in via gosnowflake that is pulled in by flux. fluxs use of gosnowflake is only for ParseDSN and it doesn't seem to call logrus. In all, I think that while it is true that we have an older version in go.mod, influxdb is not actually affected.
All that said, we should fix it. We have dependabot enabled for the repo but we didn't get an alert. I can't find a CVE identifier for this issue in the GitHub advisory database, which may be why.
robertb724-corsha
Use case: Logrus version 1.9.0 has an open CVE. Repositories which host influx and scan for CVEs flag this dependency as the finding has been open for a very long time (10 months). Updating the version of Logrus will allow Influx to be deployed into security conscious.
Proposal: Update version of Logrus to 1.9.3 which remediates the potential denial of service vulnerability
Current behaviour: Influx 2.7.x is flagged for outstanding vulnerability related to logrus
Desired behaviour: Influx 2.7.x is not flagged for outstanding vulnerability related to logrus
Alternatives considered: I have not considered alternatives