Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump protobuf containerd, and trivy (0.50.0) #1002

Merged
merged 2 commits into from
Mar 26, 2024
Merged

chore: bump protobuf containerd, and trivy (0.50.0) #1002

merged 2 commits into from
Mar 26, 2024

Conversation

sozercan
Copy link
Member

@sozercan sozercan commented Mar 25, 2024
edited
Loading

What this PR does / why we need it:

Eraser is not affected by these CVEs as it doesn't call the code for these vulns, but bumping these anyway

Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/protobuf@v1.31.0
    Fixed in: google.golang.org/protobuf@v1.33.0

=== Module Results ===

Vulnerability #1: GO-2023-2412
    RAPL accessibility in github.com/containerd/containerd
  More info: https://pkg.go.dev/vuln/GO-2023-2412
  Module: github.com/containerd/containerd
    Found in: github.com/containerd/containerd@v1.6.18
    Fixed in: github.com/containerd/containerd@v1.6.26

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #

Special notes for your reviewer:
Latest trivy binary reports for having vulns but this is not actionable at this time. we'll have to wait for an upstream fix

@sozercan
chore: bump protobuf and containerd
c70dda6 
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
@sozercan
bump trivy too
b9a5637 
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
@sozercan sozercan changed the title chore: bump protobuf and containerd chore: bump protobuf containerd, and trivy (0.50.0) Mar 25, 2024
pmengelbert
pmengelbert approved these changes Mar 25, 2024
View reviewed changes
Copy link
Contributor

@pmengelbert pmengelbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, trivy scan is still failing, I assume that's ok?

@sozercan sozercan merged commit 6f2b5d7 into eraser-dev:main Mar 26, 2024
91 of 92 checks passed
@sozercan sozercan deleted the bump-protobuf-containerd branch March 26, 2024 03:00
@sozercan sozercan mentioned this pull request Mar 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmengelbert pmengelbert pmengelbert approved these changes

@ashnamehrotra ashnamehrotra Awaiting requested review from ashnamehrotra ashnamehrotra is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sozercan @pmengelbert