CVE-2021-3121 is present in dependencies

[mdbooth]

CVE-2021-3121 is a vulnerability in gogo/protobuf versions <1.3.2. Note that as the bug is in a code generator it can't be fixed by bumping a dependency. Fixing it requires all dependencies, transitively, to update and regenerate code, then we need to pull in updated versions of our direct dependencies.

In the case of this driver all the vulnerable code is pulled in via k8s v0.20.0:

$ git grep -l "if skippy < 0 {"
vendor/k8s.io/api/admission/v1/generated.pb.go
vendor/k8s.io/api/admission/v1beta1/generated.pb.go
vendor/k8s.io/api/admissionregistration/v1/generated.pb.go
vendor/k8s.io/api/admissionregistration/v1beta1/generated.pb.go
vendor/k8s.io/api/apiserverinternal/v1alpha1/generated.pb.go
vendor/k8s.io/api/apps/v1/generated.pb.go
... a total of 53 files

These can be fixed [1] by updating to k8s v0.20.6 or later.

[1] There is 1 remaining instance in apimachinery which was missed: kubernetes/kubernetes#101306

Note that this issue has been public for some time, so security handling is not warranted.

[msau42]

We use grpc/protobuf in CSI too. Does the csi spec need to be regenerated? cc @jsafrane

[mdbooth]

We use grpc/protobuf in CSI too. Does the csi spec need to be regenerated? cc @jsafrane

No, it was only gogo/protobuf