search

opensearch-project / logstash-output-opensearch

A Logstash plugin that sends event data to a OpenSearch clusters and stores as an index.
https://opensearch.org/docs/latest/clients/logstash/index/
Apache License 2.0
104 stars 80 forks source link

Release v. Next #252

Closed mamccorm closed 3 months ago

mamccorm commented 4 months ago

Hi there,

The last release tag was cut back in Aug 2023. Since then theres been quite a few commits. Any plans to cut a new release tag to pickup these changes?

dblock commented 4 months ago

There wasn't really any substantive changes, weren't there? Are you looking for a specific fix that was made?

On this note we could use a CHANGELOG like https://github.com/opensearch-project/opensearch-py/blob/main/CHANGELOG.md, maybe you'd be interested in contributing one so we can see easily what is ready to be released?

cbeaujoin-stellar commented 3 months ago

Hi, can you build a new docker image (https://hub.docker.com/r/opensearchproject/logstash-oss-with-opensearch-output-plugin) based on the latest LOGSTASH_VERSION (https://www.docker.elastic.co/r/logstash/logstash-oss). Current version is LOGSTASH_VERSION=${LOGSTASH_VERSION:-8.3.2}. And lot of current inputs plugins documentation is ahead. IE for tcp input plugin lot of changes since logstash 8.3.2 wich run tcp input plugin 6.3.0. You can't rely on the current documentation https://www.elastic.co/guide/en/logstash/current/plugins-inputs-tcp.html).

mamccorm commented 3 months ago

Hey @dblock, there are currenrly 237 CVEs in the most recent image, which was last pushed 10 months ago:

```bash Scanned for vulnerabilities [237 vulnerability matches] ├── by severity: 3 critical, 25 high, 116 medium, 75 low, 9 negligible (9 unknown) └── by status: 147 fixed, 90 not-fixed, 0 ignored NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY amqp-client 5.16.0 5.18.0 java-archive GHSA-mm8h-8587-p46h Medium avro 1.11.0 1.11.3 java-archive GHSA-rhrv-645h-fjfh High bcpkix-jdk18on 1.71 1.73 java-archive GHSA-wjxj-5m7g-mg7q Medium bcpkix-jdk18on 1.71 1.78 java-archive GHSA-v435-xc8x-wvr9 Medium bcpkix-jdk18on 1.71 1.78 java-archive GHSA-m44j-cfrm-g8qc Medium bcpkix-jdk18on 1.71 1.78 java-archive GHSA-8xfc-gm6g-vgpv Medium bcprov-jdk18on 1.71 1.73 java-archive GHSA-wjxj-5m7g-mg7q Medium bcprov-jdk18on 1.71 1.78 java-archive GHSA-v435-xc8x-wvr9 Medium bcprov-jdk18on 1.71 1.78 java-archive GHSA-m44j-cfrm-g8qc Medium bcprov-jdk18on 1.71 1.74 java-archive GHSA-hr8g-6v94-x4m9 Medium bcprov-jdk18on 1.71 1.78 java-archive GHSA-8xfc-gm6g-vgpv Medium bcprov-jdk18on 1.71 1.78 java-archive GHSA-4h8f-2wvx-gg5w Low bctls-jdk18on 1.71 1.78 java-archive GHSA-v435-xc8x-wvr9 Medium bctls-jdk18on 1.71 1.78 java-archive GHSA-m44j-cfrm-g8qc Medium bctls-jdk18on 1.71 1.78 java-archive GHSA-8xfc-gm6g-vgpv Medium bsdutils 1:2.34-0.1ubuntu9.4 2.34-0.1ubuntu9.5 deb CVE-2024-28085 Medium commons-io 2.2 2.7 java-archive GHSA-gwrp-pvrq-jmwv Medium coreutils 8.30-3ubuntu2 deb CVE-2016-2781 Low curl 7.68.0-1ubuntu2.18 7.68.0-1ubuntu2.22 deb CVE-2024-2398 Medium curl 7.68.0-1ubuntu2.18 7.68.0-1ubuntu2.21 deb CVE-2023-46218 Medium curl 7.68.0-1ubuntu2.18 7.68.0-1ubuntu2.20 deb CVE-2023-38546 Low curl 7.68.0-1ubuntu2.18 7.68.0-1ubuntu2.19 deb CVE-2023-28322 Low curl 7.68.0-1ubuntu2.18 7.68.0-1ubuntu2.19 deb CVE-2023-28321 Low fdisk 2.34-0.1ubuntu9.4 2.34-0.1ubuntu9.5 deb CVE-2024-28085 Medium gpgv 2.2.19-3ubuntu2.2 deb CVE-2022-3219 Low guava 18.0 24.1.1-android java-archive GHSA-mvr2-9pj6-7w5j Medium guava 18.0 32.0.0-android java-archive GHSA-7g45-4rm6-3mm3 Medium guava 18.0 32.0.0-android java-archive GHSA-5mg8-w23w-74h3 Low guava 31.1-jre 32.0.0-android java-archive GHSA-7g45-4rm6-3mm3 Medium guava 31.1-jre 32.0.0-android java-archive GHSA-5mg8-w23w-74h3 Low httpclient 4.3.5 4.3.6 java-archive GHSA-fmj5-wv96-r2ch Medium httpclient 4.3.5 4.5.13 java-archive GHSA-7r82-7xv7-xcpj Medium java/jdk 17.0.7+7 binary CVE-2024-20952 High java/jdk 17.0.7+7 binary CVE-2024-20932 High java/jdk 17.0.7+7 binary CVE-2024-20918 High java/jdk 17.0.7+7 binary CVE-2023-25193 High java/jdk 17.0.7+7 binary CVE-2024-20945 Medium java/jdk 17.0.7+7 binary CVE-2024-20921 Medium java/jdk 17.0.7+7 binary CVE-2024-20919 Medium java/jdk 17.0.7+7 binary CVE-2024-21094 Low java/jdk 17.0.7+7 binary CVE-2024-21068 Low java/jdk 17.0.7+7 binary CVE-2024-21012 Low java/jdk 17.0.7+7 binary CVE-2024-21011 Low java/jdk 17.0.7+7 binary CVE-2023-22049 Low java/jdk 17.0.7+7 binary CVE-2023-22045 Low java/jdk 17.0.7+7 binary CVE-2023-22044 Low java/jdk 17.0.7+7 binary CVE-2023-22036 Low java/jdk 17.0.7+7 binary CVE-2023-22006 Low java/jre 17.0.7+7 binary CVE-2024-20952 High java/jre 17.0.7+7 binary CVE-2024-20932 High java/jre 17.0.7+7 binary CVE-2024-20918 High java/jre 17.0.7+7 binary CVE-2023-25193 High java/jre 17.0.7+7 binary CVE-2024-20945 Medium java/jre 17.0.7+7 binary CVE-2024-20921 Medium java/jre 17.0.7+7 binary CVE-2024-20919 Medium java/jre 17.0.7+7 binary CVE-2023-22041 Medium java/jre 17.0.7+7 binary CVE-2024-21094 Low java/jre 17.0.7+7 binary CVE-2024-21068 Low java/jre 17.0.7+7 binary CVE-2024-21012 Low java/jre 17.0.7+7 binary CVE-2024-21011 Low jersey-common 2.33 2.34 java-archive GHSA-c43q-5hpj-4crv Medium jsoup 1.7.2 1.14.2 java-archive GHSA-m72m-mhq2-9p6c High jsoup 1.7.2 1.15.3 java-archive GHSA-gp7f-rwcx-9369 Medium jsoup 1.7.2 1.8.3 java-archive GHSA-48rh-qgjr-xfj6 Medium krb5-locales 1.17-6ubuntu4.3 deb CVE-2024-26462 Medium krb5-locales 1.17-6ubuntu4.3 1.17-6ubuntu4.4 deb CVE-2023-36054 Medium krb5-locales 1.17-6ubuntu4.3 deb CVE-2024-26461 Low krb5-locales 1.17-6ubuntu4.3 deb CVE-2024-26458 Negligible libblkid1 2.34-0.1ubuntu9.4 2.34-0.1ubuntu9.5 deb CVE-2024-28085 Medium libc-bin 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33602 Medium libc-bin 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33601 Medium libc-bin 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33600 Medium libc-bin 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33599 Medium libc-bin 2.31-0ubuntu9.9 2.31-0ubuntu9.15 deb CVE-2024-2961 Medium libc-bin 2.31-0ubuntu9.9 2.31-0ubuntu9.14 deb CVE-2023-4813 Low libc-bin 2.31-0ubuntu9.9 2.31-0ubuntu9.14 deb CVE-2023-4806 Low libc-bin 2.31-0ubuntu9.9 deb CVE-2016-20013 Negligible libc6 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33602 Medium libc6 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33601 Medium libc6 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33600 Medium libc6 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33599 Medium libc6 2.31-0ubuntu9.9 2.31-0ubuntu9.15 deb CVE-2024-2961 Medium libc6 2.31-0ubuntu9.9 2.31-0ubuntu9.14 deb CVE-2023-4813 Low libc6 2.31-0ubuntu9.9 2.31-0ubuntu9.14 deb CVE-2023-4806 Low libc6 2.31-0ubuntu9.9 deb CVE-2016-20013 Negligible libcurl4 7.68.0-1ubuntu2.18 7.68.0-1ubuntu2.22 deb CVE-2024-2398 Medium libcurl4 7.68.0-1ubuntu2.18 7.68.0-1ubuntu2.21 deb CVE-2023-46218 Medium libcurl4 7.68.0-1ubuntu2.18 7.68.0-1ubuntu2.20 deb CVE-2023-38546 Low libcurl4 7.68.0-1ubuntu2.18 7.68.0-1ubuntu2.19 deb CVE-2023-28322 Low libcurl4 7.68.0-1ubuntu2.18 7.68.0-1ubuntu2.19 deb CVE-2023-28321 Low libfdisk1 2.34-0.1ubuntu9.4 2.34-0.1ubuntu9.5 deb CVE-2024-28085 Medium libgcrypt20 1.8.5-5ubuntu1.1 deb CVE-2024-2236 Medium libgnutls30 3.6.13-2ubuntu1.8 3.6.13-2ubuntu1.11 deb CVE-2024-28834 Medium libgnutls30 3.6.13-2ubuntu1.8 3.6.13-2ubuntu1.10 deb CVE-2024-0553 Medium libgnutls30 3.6.13-2ubuntu1.8 3.6.13-2ubuntu1.9 deb CVE-2023-5981 Medium libgssapi-krb5-2 1.17-6ubuntu4.3 deb CVE-2024-26462 Medium libgssapi-krb5-2 1.17-6ubuntu4.3 1.17-6ubuntu4.4 deb CVE-2023-36054 Medium libgssapi-krb5-2 1.17-6ubuntu4.3 deb CVE-2024-26461 Low libgssapi-krb5-2 1.17-6ubuntu4.3 deb CVE-2024-26458 Negligible libk5crypto3 1.17-6ubuntu4.3 deb CVE-2024-26462 Medium libk5crypto3 1.17-6ubuntu4.3 1.17-6ubuntu4.4 deb CVE-2023-36054 Medium libk5crypto3 1.17-6ubuntu4.3 deb CVE-2024-26461 Low libk5crypto3 1.17-6ubuntu4.3 deb CVE-2024-26458 Negligible libkrb5-3 1.17-6ubuntu4.3 deb CVE-2024-26462 Medium libkrb5-3 1.17-6ubuntu4.3 1.17-6ubuntu4.4 deb CVE-2023-36054 Medium libkrb5-3 1.17-6ubuntu4.3 deb CVE-2024-26461 Low libkrb5-3 1.17-6ubuntu4.3 deb CVE-2024-26458 Negligible libkrb5support0 1.17-6ubuntu4.3 deb CVE-2024-26462 Medium libkrb5support0 1.17-6ubuntu4.3 1.17-6ubuntu4.4 deb CVE-2023-36054 Medium libkrb5support0 1.17-6ubuntu4.3 deb CVE-2024-26461 Low libkrb5support0 1.17-6ubuntu4.3 deb CVE-2024-26458 Negligible libldap-2.4-2 2.4.49+dfsg-2ubuntu1.9 2.4.49+dfsg-2ubuntu1.10 deb CVE-2023-2953 Low libldap-common 2.4.49+dfsg-2ubuntu1.9 2.4.49+dfsg-2ubuntu1.10 deb CVE-2023-2953 Low liblzma5 5.2.4-1ubuntu1.1 deb CVE-2020-22916 Medium libmount1 2.34-0.1ubuntu9.4 2.34-0.1ubuntu9.5 deb CVE-2024-28085 Medium libncurses6 6.2-0ubuntu2.1 deb CVE-2023-50495 Low libncurses6 6.2-0ubuntu2.1 deb CVE-2023-45918 Low libncursesw6 6.2-0ubuntu2.1 deb CVE-2023-50495 Low libncursesw6 6.2-0ubuntu2.1 deb CVE-2023-45918 Low libnghttp2-14 1.40.0-1ubuntu0.1 1.40.0-1ubuntu0.3 deb CVE-2024-28182 Medium libnghttp2-14 1.40.0-1ubuntu0.1 1.40.0-1ubuntu0.2 deb CVE-2023-44487 Medium libpam-modules 1.3.1-5ubuntu4.6 1.3.1-5ubuntu4.7 deb CVE-2024-22365 Medium libpam-modules-bin 1.3.1-5ubuntu4.6 1.3.1-5ubuntu4.7 deb CVE-2024-22365 Medium libpam-runtime 1.3.1-5ubuntu4.6 1.3.1-5ubuntu4.7 deb CVE-2024-22365 Medium libpam0g 1.3.1-5ubuntu4.6 1.3.1-5ubuntu4.7 deb CVE-2024-22365 Medium libpcre3 2:8.39-12ubuntu0.1 deb CVE-2017-11164 Negligible libprocps8 2:3.3.16-1ubuntu2.3 2:3.3.16-1ubuntu2.4 deb CVE-2023-4016 Low libsmartcols1 2.34-0.1ubuntu9.4 2.34-0.1ubuntu9.5 deb CVE-2024-28085 Medium libsqlite3-0 3.31.1-4ubuntu0.5 3.31.1-4ubuntu0.6 deb CVE-2023-7104 Medium libssh-4 0.9.3-2ubuntu2.3 0.9.3-2ubuntu2.5 deb CVE-2023-6918 Medium libssh-4 0.9.3-2ubuntu2.3 0.9.3-2ubuntu2.5 deb CVE-2023-6004 Medium libssh-4 0.9.3-2ubuntu2.3 0.9.3-2ubuntu2.4 deb CVE-2023-48795 Medium libssl1.1 1.1.1f-1ubuntu2.19 deb CVE-2024-4741 Low libssl1.1 1.1.1f-1ubuntu2.19 deb CVE-2024-2511 Low libssl1.1 1.1.1f-1ubuntu2.19 1.1.1f-1ubuntu2.21 deb CVE-2024-0727 Low libssl1.1 1.1.1f-1ubuntu2.19 1.1.1f-1ubuntu2.21 deb CVE-2023-5678 Low libssl1.1 1.1.1f-1ubuntu2.19 1.1.1f-1ubuntu2.20 deb CVE-2023-3817 Low libssl1.1 1.1.1f-1ubuntu2.19 1.1.1f-1ubuntu2.20 deb CVE-2023-3446 Low libsystemd0 245.4-4ubuntu3.22 deb CVE-2023-7008 Low libsystemd0 245.4-4ubuntu3.22 deb CVE-2023-26604 Low libtinfo6 6.2-0ubuntu2.1 deb CVE-2023-50495 Low libtinfo6 6.2-0ubuntu2.1 deb CVE-2023-45918 Low libudev1 245.4-4ubuntu3.22 deb CVE-2023-7008 Low libudev1 245.4-4ubuntu3.22 deb CVE-2023-26604 Low libuuid1 2.34-0.1ubuntu9.4 2.34-0.1ubuntu9.5 deb CVE-2024-28085 Medium locales 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33602 Medium locales 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33601 Medium locales 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33600 Medium locales 2.31-0ubuntu9.9 2.31-0ubuntu9.16 deb CVE-2024-33599 Medium locales 2.31-0ubuntu9.9 2.31-0ubuntu9.15 deb CVE-2024-2961 Medium locales 2.31-0ubuntu9.9 2.31-0ubuntu9.14 deb CVE-2023-4813 Low locales 2.31-0ubuntu9.9 2.31-0ubuntu9.14 deb CVE-2023-4806 Low locales 2.31-0ubuntu9.9 deb CVE-2016-20013 Negligible login 1:4.8.1-1ubuntu5.20.04.4 1:4.8.1-1ubuntu5.20.04.5 deb CVE-2023-4641 Low login 1:4.8.1-1ubuntu5.20.04.4 deb CVE-2023-29383 Low login 1:4.8.1-1ubuntu5.20.04.4 deb CVE-2013-4235 Low maven-compat 3.3.9 3.8.1 java-archive GHSA-2f88-5hg8-9x2x Critical maven-core 3.3.9 3.8.1 java-archive GHSA-2f88-5hg8-9x2x Critical mount 2.34-0.1ubuntu9.4 2.34-0.1ubuntu9.5 deb CVE-2024-28085 Medium ncurses-base 6.2-0ubuntu2.1 deb CVE-2023-50495 Low ncurses-base 6.2-0ubuntu2.1 deb CVE-2023-45918 Low ncurses-bin 6.2-0ubuntu2.1 deb CVE-2023-50495 Low ncurses-bin 6.2-0ubuntu2.1 deb CVE-2023-45918 Low netty-codec-http 4.1.94.Final 4.1.108.Final java-archive GHSA-5jpm-x58v-624v Medium nokogiri 1.13.10 1.15.6 gem GHSA-xc9x-jj77-9p9j Medium nokogiri 1.13.10 1.15.6 gem GHSA-vcc3-rw6f-jv97 Medium nokogiri 1.13.10 1.14.3 gem GHSA-pxvg-2qj5-37jq Medium nokogiri 1.13.10 1.16.5 gem GHSA-r95h-9x8f-r3f7 Low openssl 1.1.1f-1ubuntu2.19 deb CVE-2024-4741 Low openssl 1.1.1f-1ubuntu2.19 deb CVE-2024-2511 Low openssl 1.1.1f-1ubuntu2.19 1.1.1f-1ubuntu2.21 deb CVE-2024-0727 Low openssl 1.1.1f-1ubuntu2.19 1.1.1f-1ubuntu2.21 deb CVE-2023-5678 Low openssl 1.1.1f-1ubuntu2.19 1.1.1f-1ubuntu2.20 deb CVE-2023-3817 Low openssl 1.1.1f-1ubuntu2.19 1.1.1f-1ubuntu2.20 deb CVE-2023-3446 Low passwd 1:4.8.1-1ubuntu5.20.04.4 1:4.8.1-1ubuntu5.20.04.5 deb CVE-2023-4641 Low passwd 1:4.8.1-1ubuntu5.20.04.4 deb CVE-2023-29383 Low passwd 1:4.8.1-1ubuntu5.20.04.4 deb CVE-2013-4235 Low perl-base 5.30.0-9ubuntu0.4 5.30.0-9ubuntu0.5 deb CVE-2023-47038 Medium plexus-utils 3.0.22 3.0.24 java-archive GHSA-g6ph-x5wf-g337 High plexus-utils 3.0.22 3.0.24 java-archive GHSA-jcwr-x25h-x5fh Medium procps 2:3.3.16-1ubuntu2.3 2:3.3.16-1ubuntu2.4 deb CVE-2023-4016 Low puma 5.6.6 5.6.7 gem GHSA-68xg-gqqm-vgj8 Critical puma 5.6.6 5.6.8 gem GHSA-c2f4-cvqm-65w2 Medium rack 2.2.7 2.2.8.1 gem GHSA-22f2-v57c-j9cx Medium rack 2.2.7 2.2.8.1 gem GHSA-xj5v-6v4g-jfw6 Low rack 2.2.7 2.2.8.1 gem GHSA-54rr-7fvw-6x8f Low rdoc 6.3.3 6.3.4.1 gem GHSA-592j-995h-p23j High rexml 3.2.5 3.2.7 gem GHSA-vg3r-rm7w-2xgh Medium snakeyaml 1.33 2.0 java-archive GHSA-mjmj-j48q-9wg2 High snappy-java 1.1.0.1 1.1.10.1 java-archive GHSA-qcwq-55hx-v3vh High snappy-java 1.1.0.1 1.1.10.4 java-archive GHSA-55g7-9cwv-5qfv High snappy-java 1.1.0.1 1.1.10.1 java-archive GHSA-pqr6-cmr2-h8hf Medium snappy-java 1.1.0.1 1.1.10.1 java-archive GHSA-fjpj-2g6w-x25r Medium snappy-java 1.1.8.4 1.1.10.1 java-archive GHSA-qcwq-55hx-v3vh High snappy-java 1.1.8.4 1.1.10.4 java-archive GHSA-55g7-9cwv-5qfv High snappy-java 1.1.8.4 1.1.10.1 java-archive GHSA-pqr6-cmr2-h8hf Medium snappy-java 1.1.8.4 1.1.10.1 java-archive GHSA-fjpj-2g6w-x25r Medium stdlib go1.20.6 go-module CVE-2023-45285 High stdlib go1.20.6 go-module CVE-2023-44487 High stdlib go1.20.6 go-module CVE-2023-39325 High stdlib go1.20.6 go-module CVE-2023-39323 High stdlib go1.20.6 go-module CVE-2023-39326 Medium stdlib go1.20.6 go-module CVE-2023-39319 Medium stdlib go1.20.6 go-module CVE-2023-39318 Medium stdlib go1.20.6 go-module CVE-2023-29409 Medium stdlib go1.20.6 go-module CVE-2024-24790 Unknown stdlib go1.20.6 go-module CVE-2024-24789 Unknown stdlib go1.20.6 go-module CVE-2024-24787 Unknown stdlib go1.20.6 go-module CVE-2024-24785 Unknown stdlib go1.20.6 go-module CVE-2024-24784 Unknown stdlib go1.20.6 go-module CVE-2024-24783 Unknown stdlib go1.20.6 go-module CVE-2023-45290 Unknown stdlib go1.20.6 go-module CVE-2023-45289 Unknown stdlib go1.20.6 go-module CVE-2023-45288 Unknown tar 1.30+dfsg-7ubuntu0.20.04.3 1.30+dfsg-7ubuntu0.20.04.4 deb CVE-2023-39804 Medium util-linux 2.34-0.1ubuntu9.4 2.34-0.1ubuntu9.5 deb CVE-2024-28085 Medium xalan 2.7.2 2.7.3 java-archive GHSA-9339-86wc-4qgf High A newer version of grype is available for download: 0.78.0 (installed version is 0.77.4) ```

A lot of these look like they'd be remediated by rebuilding the image. Given there has been some activity in the repo as well as a long time since the last release / build cut, it'd be great to cut for that reason, or periodically re-trigger a re-build of the image

dblock commented 3 months ago

There was a discussion in this in https://github.com/opensearch-project/logstash-output-opensearch/issues/230, which says we're not planning to make any new docker releases (cc: @dlvenable). But we should talk about it again. Maybe someone can help add automation for it in opensearch-build?

dblock commented 3 months ago

Closing in favor of https://github.com/opensearch-project/logstash-output-opensearch/issues/230.