Open robertb724-corsha opened 4 months ago
I can confirm that influxdb 2.7.5 has logrus
1.9.0 listed:
$ go version -m ./usr/bin/influxd |grep logrus
dep github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
go.mod
lists it as an indirect dependency and we don't have code that is directly using it. AFAICS, this is coming in via gosnowflake
that is pulled in by flux
. flux
s use of gosnowflake
is only for ParseDSN
and it doesn't seem to call logrus
. In all, I think that while it is true that we have an older version in go.mod
, influxdb
is not actually affected.
All that said, we should fix it. We have dependabot enabled for the repo but we didn't get an alert. I can't find a CVE identifier for this issue in the GitHub advisory database, which may be why.
@jdstrand thank you for looking into this. FYSA, the registry in which I am maintaining the influx image refers to this as PRISMA-2023-0056
. When googling it I do not find much info.
@jdstrand thank you for looking into this. FYSA, the registry in which I am maintaining the influx image refers to this as
PRISMA-2023-0056
. When googling it I do not find much info.
Ok, that makes sense. When googling I saw something about PRISMA using their own identifiers so this all makes sense now. Thanks for the report!
@jdstrand I saw this was merged but it is not being included in the latest releases. How do these patches get included in the official releases?
https://github.com/influxdata/influxdb/blob/3c58c06206bd8c585f847382d074524564174bc1/go.mod#L208
@robertb724-corsha - it was committed to main-2.x
which stages it for a future 2.x release. I didn't end up being included in 2.7.6. I went ahead and submitted https://github.com/influxdata/influxdb/pull/24970 against the 2.7
branch just now.
@jdstrand thank you for the clarificaton
Use case: Logrus version 1.9.0 has an open CVE. Repositories which host influx and scan for CVEs flag this dependency as the finding has been open for a very long time (10 months). Updating the version of Logrus will allow Influx to be deployed into security conscious.
Proposal: Update version of Logrus to 1.9.3 which remediates the potential denial of service vulnerability
Current behaviour: Influx 2.7.x is flagged for outstanding vulnerability related to logrus
Desired behaviour: Influx 2.7.x is not flagged for outstanding vulnerability related to logrus
Alternatives considered: I have not considered alternatives