Upgrades the net and sys dependencies to mitigate CVE-2022-27664
Latest version was failing image scans:
$ trivy i ghcr.io/jaegertracing/jaeger-clickhouse:0.12.0
2022-10-03T12:28:47.370-0400 INFO Detected OS: alpine
2022-10-03T12:28:47.370-0400 INFO This OS version is not on the EOL list: alpine 3.16
2022-10-03T12:28:47.370-0400 INFO Detecting Alpine vulnerabilities...
2022-10-03T12:28:47.371-0400 INFO Number of language-specific files: 1
2022-10-03T12:28:47.371-0400 INFO Detecting gobinary vulnerabilities...
ghcr.io/jaegertracing/jaeger-clickhouse:0.12.0 (alpine 3.16.2)
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
go/bin/jaeger-clickhouse (gobinary)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| golang.org/x/net | CVE-2022-27664 | HIGH | v0.0.0-20220412020605-290c469a71a5 | 0.0.0-20220906165146-f3363e06e74c | golang: net/http: handle server |
| | | | | | errors after sending GOAWAY |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27664 |
+------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
Short description of the changes
Ran
go get -u golang.org/x/net
go get -u golang.org/x/sys
Now we get the clean scan:
$ trivy i ghcr.io/jaegertracing/jaeger-clickhouse:latest
2022-10-03T12:29:30.017-0400 INFO Detected OS: alpine
2022-10-03T12:29:30.017-0400 INFO This OS version is not on the EOL list: alpine 3.16
2022-10-03T12:29:30.017-0400 INFO Detecting Alpine vulnerabilities...
2022-10-03T12:29:30.021-0400 INFO Number of language-specific files: 1
2022-10-03T12:29:30.021-0400 INFO Detecting gobinary vulnerabilities...
ghcr.io/jaegertracing/jaeger-clickhouse:latest (alpine 3.16.2)
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
go/bin/jaeger-clickhouse (gobinary)
===================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Which problem is this PR solving?
Upgrades the net and sys dependencies to mitigate CVE-2022-27664
Latest version was failing image scans:
Short description of the changes
Ran
Now we get the clean scan: