Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump alpine 3.20 and golang modules #912

Merged

Conversation

neiljain
Copy link
Contributor

@neiljain neiljain commented May 29, 2024

  • Fix alpine 3.19.1 CVEs
  • Bump go modules to match 1.22.3 version being used

oliver006/redis_exporter/v1.59.0-alpine

CVE-2023-42366 | 3.19busybox3.19busybox-binsh3.19ssl_client
CVE-2024-2511 | 3.19libcrypto33.19libssl3

- to fix CVEs reported in 3.19.1

Signed-off-by: Neelesh Jain <neiljain@users.noreply.github.com>
Signed-off-by: Neelesh Jain <neiljain@users.noreply.github.com>
@coveralls
Copy link

coveralls commented May 30, 2024

Pull Request Test Coverage Report for Build 361

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 43 unchanged lines in 2 files lost coverage.
  • Overall coverage decreased (-0.1%) to 84.107%

Files with Coverage Reduction New Missed Lines %
main.go 19 0.0%
exporter/exporter.go 24 94.45%
Totals Coverage Status
Change from base Build 350: -0.1%
Covered Lines: 1974
Relevant Lines: 2347

💛 - Coveralls

@oliver006
Copy link
Owner

@neiljain
Copy link
Contributor Author

neiljain commented May 31, 2024

looks like golang 1.22 should already be supported with https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.4/#golang-1 or higher and this one failed with codeql 2.17.3 for some reason

@oliver006
Copy link
Owner

Let's roll back the go.mod file, it's not that important (i.e. it doesn't determine what version the exporter is build with) and ship the alpine upgrade only.

@oliver006 oliver006 merged commit 4b1e805 into oliver006:master Jun 1, 2024
3 of 4 checks passed
@neiljain
Copy link
Contributor Author

neiljain commented Jun 3, 2024

I realize, that this PR didn't quite make the cut for v1.60.0 ... is it possible to push a new v1.61.0 release for this change so some of the CVEs are resolved?

@neiljain neiljain deleted the feature/bump-alpine-3-20 branch June 3, 2024 23:37
@oliver006
Copy link
Owner

Released as v1.61.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants