Skip to content

Commit d485009

Browse files
obs-gh-mattcotterobs-gh-mattcotter
authored
fix: replace go packages with CVEs with newer versions (#154)
### Description OB-40419 Replace go packages with CVEs with newer versions. ``` $ docker scout cves sha256:f43b4aeb536f88253ba886d3d0e9663b4df4116910385dd670fa28a6c95703f3 i New version 1.16.1 available (installed version is 1.15.1) at https://github.com/docker/scout-cli ✓ Image stored for indexing ✓ Indexed 388 packages ✓ Provenance obtained from attestation ✗ Detected 2 vulnerable packages with a total of 3 vulnerabilities ## Overview │ Analyzed Image ────────────────────┼──────────────────────────────────────────────────────────────────────────── Target │ sha256:f43b4aeb536f88253ba886d3d0e9663b4df4116910385dd670fa28a6c95703f3 digest │ f43b4aeb536f platform │ linux/arm64 vulnerabilities │ 0C 0H 2M 1L size │ 44 MB packages │ 388 ## Packages and Vulnerabilities 0C 0H 1M 1L github.com/aws/aws-sdk-go 1.55.5 pkg:golang/github.com/aws/[email protected] ✗ MEDIUM CVE-2020-8911 https://scout.docker.com/v/CVE-2020-8911 Affected range : >=0 Fixed version : not fixed ✗ LOW CVE-2020-8912 https://scout.docker.com/v/CVE-2020-8912 Affected range : >=0 Fixed version : not fixed 0C 0H 1M 0L openssl 3.3.2-r0 pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.20 ✗ MEDIUM CVE-2024-9143 https://scout.docker.com/v/CVE-2024-9143 Affected range : <3.3.2-r1 Fixed version : 3.3.2-r1 3 vulnerabilities found in 2 packages CRITICAL 0 HIGH 0 MEDIUM 2 LOW 1 What's next: View base image update recommendations → docker scout recommendations sha256:f43b4aeb536f88253ba886d3d0e9663b4df4116910385dd670fa28a6c95703f3 ``` ### Checklist - [ ] Created tests which fail without the change (if possible) - [ ] Extended the README / documentation, if necessary
1 parent 4ef52c2 commit d485009

40 files changed

+513
-110
lines changed

go.mod

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ require (
1313
github.com/stretchr/testify v1.9.0
1414
go.opentelemetry.io/collector/otelcol v0.114.0
1515
go.uber.org/zap v1.27.0
16-
golang.org/x/sys v0.27.0
16+
golang.org/x/sys v0.29.0
1717
gopkg.in/yaml.v2 v2.4.0
1818
gopkg.in/yaml.v3 v3.0.1
1919
)
@@ -360,14 +360,14 @@ require (
360360
go.opentelemetry.io/proto/otlp v1.3.1 // indirect
361361
go.uber.org/atomic v1.11.0 // indirect
362362
go.uber.org/multierr v1.11.0 // indirect
363-
golang.org/x/crypto v0.29.0 // indirect
363+
golang.org/x/crypto v0.32.0 // indirect
364364
golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
365365
golang.org/x/mod v0.21.0 // indirect
366366
golang.org/x/net v0.31.0 // indirect
367367
golang.org/x/oauth2 v0.23.0 // indirect
368-
golang.org/x/sync v0.9.0 // indirect
369-
golang.org/x/term v0.26.0 // indirect
370-
golang.org/x/text v0.20.0 // indirect
368+
golang.org/x/sync v0.10.0 // indirect
369+
golang.org/x/term v0.28.0 // indirect
370+
golang.org/x/text v0.21.0 // indirect
371371
golang.org/x/time v0.5.0 // indirect
372372
golang.org/x/tools v0.26.0 // indirect
373373
gonum.org/v1/gonum v0.15.1 // indirect
@@ -392,6 +392,10 @@ require (
392392
)
393393

394394
replace (
395+
// TODO remove these overrides when we upgrade to otelcol v0.117.0
396+
github.com/docker/docker => github.com/docker/docker v27.4.1+incompatible
395397
github.com/observeinc/observe-agent/components/processors/observek8sattributesprocessor v0.0.0-00010101000000-000000000000 => ./components/processors/observek8sattributesprocessor
396398
github.com/observeinc/observe-agent/observecol => ./observecol
399+
golang.org/x/crypto => golang.org/x/crypto v0.32.0
400+
golang.org/x/net => golang.org/x/net v0.34.0
397401
)

vendor/github.com/docker/docker/api/swagger.yaml

Lines changed: 19 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/github.com/docker/docker/api/types/types.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/github.com/docker/docker/client/client.go

Lines changed: 9 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/github.com/docker/docker/client/ping.go

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/golang.org/x/crypto/pkcs12/crypto.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/golang.org/x/net/html/doctype.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/golang.org/x/net/html/foreign.go

Lines changed: 1 addition & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/golang.org/x/net/html/parse.go

Lines changed: 6 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/golang.org/x/net/http2/config.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)