Closed oshoval closed 10 months ago
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign alonakaplan for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
Hey @oshoval
I am not sure that we need to address go.sum
mentions. Please take a look at this thread and tell me what you think.
Hey @oshoval I am not sure that we need to address
go.sum
mentions. Please take a look at this thread and tell me what you think.
Hi Ram
Right, but PR desc is updated with the reasons why it is nice to have (even not mandatory)
The only drawback is that it "freeze" grpc on following make vendor
.
We can close this PR, but it means that we will need to have a way to check our go.mod
for changes
and disregard go.sum
(which might be possible using Snyk advanced settings).
Another option is if we can have ignore list of the reports that aren't important (but only if they can't be escalated to be real issues).
Once we will have auto Jira reporting, we can close them there (hopefully the wont be opened again).
lets close (because the "freeze" issue, it is not a good practice, and we should prioritize) we would need to make sure we have filters on Snyk but not missing real stuff that might pop
What this PR does / why we need it: We still have potential indirect uses (go.sum) of affected
google.golang.org/grpc
according Snyk. For examplecloud.google.com/go v0.97.0
.Note that it is not actually linked, else it would be on go.mod as well. Moreover in this case grpc isn't even vendored.
Bump grpc to a fixed version (using replace directive). This in turn also auto deprecate some old versions, for example it replaced here
cloud.google.com/go v0.97.0
. It will make the scanner happy, and also avoid silent possible use of the affected package in the future.https://github.com/advisories/GHSA-qppj-fm5r-hxr3
Special notes for your reviewer: