Skip to content

fix: replace go packages with CVEs with newer versions #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 9, 2025
Merged

fix: replace go packages with CVEs with newer versions #154

merged 2 commits into from
Jan 9, 2025

Conversation

obs-gh-mattcotter
Copy link
Collaborator

Description

OB-40419 Replace go packages with CVEs with newer versions.

$ docker scout cves sha256:f43b4aeb536f88253ba886d3d0e9663b4df4116910385dd670fa28a6c95703f3
    i New version 1.16.1 available (installed version is 1.15.1) at https://github.com/docker/scout-cli
    ✓ Image stored for indexing
    ✓ Indexed 388 packages
    ✓ Provenance obtained from attestation
    ✗ Detected 2 vulnerable packages with a total of 3 vulnerabilities


## Overview

                    │                              Analyzed Image                                
────────────────────┼────────────────────────────────────────────────────────────────────────────
  Target            │  sha256:f43b4aeb536f88253ba886d3d0e9663b4df4116910385dd670fa28a6c95703f3   
    digest          │  f43b4aeb536f                                                              
    platform        │ linux/arm64                                                                
    vulnerabilities │    0C     0H     2M     1L                                                 
    size            │ 44 MB                                                                      
    packages        │ 388                                                                        


## Packages and Vulnerabilities

   0C     0H     1M     1L  github.com/aws/aws-sdk-go 1.55.5
pkg:golang/github.com/aws/[email protected]

    ✗ MEDIUM CVE-2020-8911
      https://scout.docker.com/v/CVE-2020-8911
      Affected range : >=0        
      Fixed version  : not fixed  
    
    ✗ LOW CVE-2020-8912
      https://scout.docker.com/v/CVE-2020-8912
      Affected range : >=0        
      Fixed version  : not fixed  
    

   0C     0H     1M     0L  openssl 3.3.2-r0
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.20

    ✗ MEDIUM CVE-2024-9143
      https://scout.docker.com/v/CVE-2024-9143
      Affected range : <3.3.2-r1  
      Fixed version  : 3.3.2-r1   
    


3 vulnerabilities found in 2 packages
  CRITICAL  0  
  HIGH      0  
  MEDIUM    2  
  LOW       1  


What's next:
    View base image update recommendations → docker scout recommendations sha256:f43b4aeb536f88253ba886d3d0e9663b4df4116910385dd670fa28a6c95703f3

Checklist

  • Created tests which fail without the change (if possible)
  • Extended the README / documentation, if necessary

obs-gh-alexlew
obs-gh-alexlew reviewed Jan 9, 2025
View reviewed changes
go.mod
github.com/observeinc/observe-agent/components/processors/observek8sattributesprocessor v0.0.0-00010101000000-000000000000 => ./components/processors/observek8sattributesprocessor
github.com/observeinc/observe-agent/observecol => ./observecol
golang.org/x/crypto => golang.org/x/crypto v0.32.0
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add a TODO comment to remove these once we upgrade to v0.117.0

@obs-gh-mattcotter obs-gh-mattcotter merged commit d485009 into main Jan 9, 2025
8 checks passed
@obs-gh-mattcotter obs-gh-mattcotter deleted the OB-40419-deps branch January 9, 2025 22:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@obs-gh-alexlew obs-gh-alexlew obs-gh-alexlew approved these changes

Assignees

@obs-gh-alexlew obs-gh-alexlew

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@obs-gh-mattcotter @obs-gh-alexlew