Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates to latest maven versions aligned with latest docker images #3785

Merged
merged 9 commits into from
Dec 4, 2024
Merged

Updates to latest maven versions aligned with latest docker images #3785

merged 9 commits into from
Dec 4, 2024

Conversation

codefromthecrypt
Copy link
Member

This also updates example docker images to latest

@codefromthecrypt
Updates to latest maven versions aligned with latest docker images
211856e 
This also updates example docker images to latest

Signed-off-by: Adrian Cole <adrian.cole@elastic.co>
@codefromthecrypt
less cves
2f87416 
Signed-off-by: Adrian Cole <adrian.cole@elastic.co>
@codefromthecrypt
downgrade
d8da62c 
Signed-off-by: Adrian Cole <adrian.cole@elastic.co>
@codefromthecrypt
workaround lint false negative
ec85960 
Signed-off-by: Adrian Cole <adrian.cole@elastic.co>
@codefromthecrypt
Copy link
Member Author

raised tcort/markdown-link-check#377 for the false negative on lint

@codefromthecrypt
Copy link
Member Author

@reta @making @shakuzen what's left is the UI (zipkin-lens) CVE which cannot be automatically fixed as it seems there's a breaking change. This PR is against the main repo, so PRs can go against it if someone doesn't have access to add a commit. Once done, back on track. Appreciate a hand pinging someone to help with this, or doing it directly.

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ cross-spawn │ https://github.com/advisories/GHSA-3xgq-45jj-v275 │ HIGH │ fixed │ 6.0.5 │ 7.0.5, 6.0.6 │ Regular Expression Denial of Service (ReDoS) in cross-spawn │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21538 │
│ │ │ │ ├───────────────────┤ │ │
│ │ │ │ │ 7.0.3 │ │ │
│ │ │ │ │ │ │ │
├───────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ http-proxy-middleware │ https://github.com/advisories/GHSA-c7qv-q95q-8v27 │ │ │ 1.3.1 │ 2.0.7, 3.0.3 │ http-proxy-middleware: Denial of Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21536 │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

reta
reta reviewed Nov 20, 2024
View reviewed changes
docker/test-images/zipkin-eureka/pom.xml Outdated
@@ -29,20 +29,20 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>3.3.4</version>
<version>3.3.5</version>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe 3.3.6 is expected to land on Thu

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3.3.6 is out!

@codefromthecrypt
switch lint bug
3ece301 
Signed-off-by: Adrian Cole <adrian.cole@elastic.co>
@codefromthecrypt
Copy link
Member Author

suggestion: why don't we bump, merge and release this (after updating deps unrelated to docker). In the release notes, we can say "help wanted" to fix the remaining CVEs in the UI. Some don't use the UI at all, and/or might not care about those CVEs. Meanwhile, if no one can help fix them, we shouldn't hold the rest of the project and downstream hostage.

@reta if cool by you, you can edit this branch about spring boot version and merge!

shakuzen
shakuzen approved these changes Dec 4, 2024
View reviewed changes
Copy link
Member

@shakuzen shakuzen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why the lint check is failing given https://github.com/openzipkin/zipkin/pull/3785/files#diff-23773f5014e0437c31c4c94b70d816279ceba1e308127698bda89bf9582b09d5R4-R5 but looks good to me

@reta
Copy link
Contributor

reta commented Dec 4, 2024

I'm not sure why the lint check is failing given https://github.com/openzipkin/zipkin/pull/3785/files#diff-23773f5014e0437c31c4c94b70d816279ceba1e308127698bda89bf9582b09d5R4-R5 but looks good to me

It is because this link https://fluffy.cc/ is not available anymore, I will update docs shortly to remove it

@reta
Remove unreachable https://fluffy.cc/ link
70fa3df 
Signed-off-by: Andriy Redko <drreta@gmail.com>
@reta reta marked this pull request as ready for review December 4, 2024 12:44
@reta
Copy link
Contributor

reta commented Dec 4, 2024

Merging, thanks @codefromthecrypt and @shakuzen !

@reta reta merged commit 88e4683 into master Dec 4, 2024
14 checks passed
@reta reta deleted the docker-updates branch December 4, 2024 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta reta left review comments

@shakuzen shakuzen shakuzen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@codefromthecrypt @reta @shakuzen