Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Update module github.com/prometheus/client_golang to v1.12.2 #3620

Merged
merged 1 commit into from
Jun 30, 2022
Merged

Update module github.com/prometheus/client_golang to v1.12.2 #3620

merged 1 commit into from
Jun 30, 2022

Conversation

kingdonb
Copy link
Member

Suggested by Renovate and Snyk, there is a medium sev reported in prometheus/client_golang which we could upgrade:

Testing fluxcd/flux:1.25.2...

✗ Medium severity vulnerability found in github.com/prometheus/client_golang/prometheus/promhttp
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPROMETHEUSCLIENTGOLANGPROMETHEUSPROMHTTP-2401819
  Introduced through: github.com/prometheus/client_golang/prometheus/promhttp@1.11.0
  From: github.com/prometheus/client_golang/prometheus/promhttp@1.11.0
  Fixed in: 1.11.1

This is just the one issue I noticed that we can do something about right away, I just decided to drop in and scope out potential changes for a next release since we are coming up on 30 days since the last one.

There are also critical reports from pcre2/pcre2 introduced by our base image (alpine:3.15.4), it's not clear when a new base image patch version will be released, so if we can mitigate this manually or just check for it in the resulting build, which I'm testing out now as I submit this.

Perhaps it will be updated out without a rev in the base image, but I think we don't run apk update in our build process if it's not, so we may have to either change that, or wait for a new revision, and I'm inclined to just wait.

Not exactly sure how they do things at Alpine HQ to be honest, but I'm sure they're on top of this, so maybe we want to delay a release until this all can be resolved out too, (I will look for it in the test build result):

Testing fluxcd/flux:1.25.2...

✗ Critical severity vulnerability found in pcre2/pcre2
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-ALPINE315-PCRE2-2869383
  Introduced through: pcre2/pcre2@10.39-r0, git/git@2.34.2-r0
  From: pcre2/pcre2@10.39-r0
  From: git/git@2.34.2-r0 > pcre2/pcre2@10.39-r0
  Image layer: Introduced by your base image (alpine:3.15.4)
  Fixed in: 10.40-r0

✗ Critical severity vulnerability found in pcre2/pcre2
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-ALPINE315-PCRE2-2869384
  Introduced through: pcre2/pcre2@10.39-r0, git/git@2.34.2-r0
  From: pcre2/pcre2@10.39-r0
  From: git/git@2.34.2-r0 > pcre2/pcre2@10.39-r0
  Image layer: Introduced by your base image (alpine:3.15.4)
  Fixed in: 10.40-r0

✗ Critical severity vulnerability found in openldap/libldap
  Description: SQL Injection
  Info: https://snyk.io/vuln/SNYK-ALPINE315-OPENLDAP-2863511
  Introduced through: openldap/libldap@2.6.0-r0, gnupg/gpg@2.2.31-r1
  From: openldap/libldap@2.6.0-r0
  From: gnupg/gpg@2.2.31-r1 > gnupg/gnupg@2.2.31-r1 > gnupg/gnupg-dirmngr@2.2.31-r1 > openldap/libldap@2.6.0-r0
  Image layer: 'apk add --no-cache openssh-client ca-certificates tini 'git>=2.24.2' 'gnutls>=3.6.7' 'glib>=2.62.5-r0' gnupg gawk socat'
  Fixed in: 2.6.2-r0

The last recorded issue from the scan, which I'll mention just for completeness, is another one which I'm not sure we can do anything about, since SOPS @ v4 must likely contain a breaking change else it would not have got a major increment, I don't know if we can adopt this upgrade or if we've already covered this in prior discussions.

(But I know the jwt-go vulnerability was mitigated in one of our most recent releases, thanks @pjbgf):

Testing fluxcd/flux:1.25.2...

✗ High severity vulnerability found in github.com/dgrijalva/jwt-go
  Description: Access Restriction Bypass
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
  Introduced through: github.com/dgrijalva/jwt-go@3.2.0+incompatible
  From: github.com/dgrijalva/jwt-go@3.2.0+incompatible
  Fixed in: 4.0.0-preview1



Organization:      kingdonb
Package manager:   gomodules
Target file:       /usr/local/bin/sops
Project name:      go.mozilla.org/sops/v3
Docker image:      fluxcd/flux:1.25.2
Licenses:          enabled

I am not in any hurry to push the release button again, just testing. 👍

@kingdonb kingdonb force-pushed the renovate/github.mirror.nvdadr.com-prometheus-client_golang-1.x branch from 153506d to 08cff92 Compare June 21, 2022 18:38
@renovate-bot
Update module github.com/prometheus/client_golang to v1.12.2
7644d0f 
+ go mod download

Signed-off-by: Kingdon Barrett <yebyen@gmail.com>
Signed-off-by: Kingdon Barrett <kingdon@weave.works>
@kingdonb kingdonb force-pushed the renovate/github.mirror.nvdadr.com-prometheus-client_golang-1.x branch from 08cff92 to 7644d0f Compare June 21, 2022 18:48
@kingdonb
Copy link
Member Author

Looks like merging this and tagging the resulting build would take care of all those, minus the SOPS issue that I mentioned can't be mitigated without a breaking upgrade (and here is the clean scan output):

$ docker scan kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip

Testing kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip...

Organization:      kingdonb
Package manager:   apk
Project name:      docker-image|kingdonb/flux
Docker image:      kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip
Platform:          linux/amd64
Base image:        alpine:3.15.4
Licenses:          enabled

✔ Tested 68 dependencies for known issues, no vulnerable paths found.

According to our scan, you are currently using the most secure version of the selected base image

-------------------------------------------------------

Testing kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip...

Organization:      kingdonb
Package manager:   gomodules
Target file:       /usr/local/bin/fluxd
Project name:      github.com/fluxcd/flux
Docker image:      kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip
Licenses:          enabled

✔ Tested 469 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip...

✗ High severity vulnerability found in github.com/dgrijalva/jwt-go
  Description: Access Restriction Bypass
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
  Introduced through: github.com/dgrijalva/jwt-go@3.2.0+incompatible
  From: github.com/dgrijalva/jwt-go@3.2.0+incompatible
  Fixed in: 4.0.0-preview1



Organization:      kingdonb
Package manager:   gomodules
Target file:       /usr/local/bin/sops
Project name:      go.mozilla.org/sops/v3
Docker image:      kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip
Licenses:          enabled

Tested 167 dependencies for known issues, found 1 issue.


Tested 3 projects, 1 contained vulnerable paths.

pjbgf
pjbgf approved these changes Jun 28, 2022
View reviewed changes
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kingdonb nice one!

LGTM

@kingdonb kingdonb merged commit 2f27d76 into master Jun 30, 2022
@kingdonb kingdonb deleted the renovate/github.mirror.nvdadr.com-prometheus-client_golang-1.x branch June 30, 2022 15:03
@kingdonb kingdonb added this to the 1.25.3 milestone Aug 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@pjbgf pjbgf pjbgf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.25.3
Development

Successfully merging this pull request may close these issues.
3 participants
@kingdonb @pjbgf @renovate-bot