Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-44487: Bump grpc for indirect usages #68

Closed
wants to merge 1 commit into from
Closed

CVE-2023-44487: Bump grpc for indirect usages #68

wants to merge 1 commit into from

Conversation

oshoval
Copy link
Collaborator

@oshoval oshoval commented Nov 13, 2023
edited
Loading

What this PR does / why we need it:
We still have potential indirect uses (go.sum)
of affected google.golang.org/grpc according Snyk.
For example cloud.google.com/go v0.97.0.

Note that it is not actually linked, else
it would be on go.mod as well.
Moreover in this case grpc isn't even vendored.

Bump grpc to a fixed version (using replace directive).
This in turn also auto deprecate some old versions,
for example it replaced here cloud.google.com/go v0.97.0.
It will make the scanner happy, and also avoid silent possible
use of the affected package in the future.

GHSA-qppj-fm5r-hxr3

Special notes for your reviewer:

@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Nov 13, 2023
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign alonakaplan for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@oshoval oshoval changed the title CVE-2023-44487: Fix indirect calls WIP CVE-2023-44487: Fix indirect calls Nov 13, 2023
@kubevirt-bot kubevirt-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 13, 2023
@oshoval oshoval changed the title WIP CVE-2023-44487: Fix indirect calls WIP CVE-2023-44487: Fix indirect calls of grpc package Nov 13, 2023
@oshoval oshoval changed the title WIP CVE-2023-44487: Fix indirect calls of grpc package WIP CVE-2023-44487: Bump grpc for indirect usages Nov 13, 2023
@oshoval
CVE-2023-44487: Bump grpc for indirect usages
b0cb370 
We still have potential indirect uses
of affected google.golang.org/grpc.
For example cloud.google.com/go v0.97.0 (and many more according Synk).

Hence bump grpc to a fixed version.

GHSA-qppj-fm5r-hxr3

Signed-off-by: Or Shoval <[email protected]>
@oshoval oshoval changed the title WIP CVE-2023-44487: Bump grpc for indirect usages CVE-2023-44487: Bump grpc for indirect usages Nov 13, 2023
@kubevirt-bot kubevirt-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 13, 2023
@RamLavi
Copy link

RamLavi commented Nov 13, 2023

Hey @oshoval
I am not sure that we need to address go.sum mentions. Please take a look at this thread and tell me what you think.

@oshoval
Copy link
Collaborator Author

oshoval commented Nov 13, 2023
edited
Loading

Hey @oshoval I am not sure that we need to address go.sum mentions. Please take a look at this thread and tell me what you think.

Hi Ram
Right, but PR desc is updated with the reasons why it is nice to have (even not mandatory)
The only drawback is that it "freeze" grpc on following make vendor.
We can close this PR, but it means that we will need to have a way to check our go.mod for changes
and disregard go.sum (which might be possible using Snyk advanced settings).
Another option is if we can have ignore list of the reports that aren't important (but only if they can't be escalated to be real issues).
Once we will have auto Jira reporting, we can close them there (hopefully the wont be opened again).

@oshoval
Copy link
Collaborator Author

oshoval commented Nov 13, 2023
edited
Loading

lets close (because the "freeze" issue, it is not a good practice, and we should prioritize)
we would need to make sure we have filters on Snyk but not missing real stuff that might pop

@oshoval oshoval closed this Nov 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlonaKaplan AlonaKaplan Awaiting requested review from AlonaKaplan

@dteplits dteplits Awaiting requested review from dteplits

Assignees
No one assigned
Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@oshoval @kubevirt-bot @RamLavi