search

jaegertracing / jaeger-clickhouse

Jaeger ClickHouse storage plugin implementation
Apache License 2.0
233 stars 50 forks source link

upgraded net and sys to fix CVE-2022-27664 #117

Closed albertlockett closed 1 year ago

albertlockett commented 1 year ago

Which problem is this PR solving?

Upgrades the net and sys dependencies to mitigate CVE-2022-27664

Latest version was failing image scans:

$ trivy i ghcr.io/jaegertracing/jaeger-clickhouse:0.12.0
2022-10-03T12:28:47.370-0400    INFO    Detected OS: alpine
2022-10-03T12:28:47.370-0400    INFO    This OS version is not on the EOL list: alpine 3.16
2022-10-03T12:28:47.370-0400    INFO    Detecting Alpine vulnerabilities...
2022-10-03T12:28:47.371-0400    INFO    Number of language-specific files: 1
2022-10-03T12:28:47.371-0400    INFO    Detecting gobinary vulnerabilities...

ghcr.io/jaegertracing/jaeger-clickhouse:0.12.0 (alpine 3.16.2)
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

go/bin/jaeger-clickhouse (gobinary)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION           |                 TITLE                 |
+------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| golang.org/x/net | CVE-2022-27664   | HIGH     | v0.0.0-20220412020605-290c469a71a5 | 0.0.0-20220906165146-f3363e06e74c | golang: net/http: handle server       |
|                  |                  |          |                                    |                                   | errors after sending GOAWAY           |
|                  |                  |          |                                    |                                   | -->avd.aquasec.com/nvd/cve-2022-27664 |
+------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+

Short description of the changes

Ran 

go get -u golang.org/x/net
go get -u golang.org/x/sys

Now we get the clean scan:

$ trivy i ghcr.io/jaegertracing/jaeger-clickhouse:latest
2022-10-03T12:29:30.017-0400    INFO    Detected OS: alpine
2022-10-03T12:29:30.017-0400    INFO    This OS version is not on the EOL list: alpine 3.16
2022-10-03T12:29:30.017-0400    INFO    Detecting Alpine vulnerabilities...
2022-10-03T12:29:30.021-0400    INFO    Number of language-specific files: 1
2022-10-03T12:29:30.021-0400    INFO    Detecting gobinary vulnerabilities...

ghcr.io/jaegertracing/jaeger-clickhouse:latest (alpine 3.16.2)
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

go/bin/jaeger-clickhouse (gobinary)
===================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)