Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updates to latest maven versions aligned with latest docker images #3785

Merged
merged 9 commits into from
Dec 4, 2024

Conversation

codefromthecrypt
Copy link
Member

This also updates example docker images to latest

This also updates example docker images to latest

Signed-off-by: Adrian Cole <[email protected]>
Signed-off-by: Adrian Cole <[email protected]>
Signed-off-by: Adrian Cole <[email protected]>
@codefromthecrypt
Copy link
Member Author

raised tcort/markdown-link-check#377 for the false negative on lint

@codefromthecrypt
Copy link
Member Author

@reta @making @shakuzen what's left is the UI (zipkin-lens) CVE which cannot be automatically fixed as it seems there's a breaking change. This PR is against the main repo, so PRs can go against it if someone doesn't have access to add a commit. Once done, back on track. Appreciate a hand pinging someone to help with this, or doing it directly.

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ cross-spawn │ https://github.com/advisories/GHSA-3xgq-45jj-v275 │ HIGH │ fixed │ 6.0.5 │ 7.0.5, 6.0.6 │ Regular Expression Denial of Service (ReDoS) in cross-spawn │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21538 │
│ │ │ │ ├───────────────────┤ │ │
│ │ │ │ │ 7.0.3 │ │ │
│ │ │ │ │ │ │ │
├───────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ http-proxy-middleware │ https://github.com/advisories/GHSA-c7qv-q95q-8v27 │ │ │ 1.3.1 │ 2.0.7, 3.0.3 │ http-proxy-middleware: Denial of Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21536 │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

@@ -29,20 +29,20 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>3.3.4</version>
<version>3.3.5</version>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe 3.3.6 is expected to land on Thu

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3.3.6 is out!

Signed-off-by: Adrian Cole <[email protected]>
@codefromthecrypt
Copy link
Member Author

suggestion: why don't we bump, merge and release this (after updating deps unrelated to docker). In the release notes, we can say "help wanted" to fix the remaining CVEs in the UI. Some don't use the UI at all, and/or might not care about those CVEs. Meanwhile, if no one can help fix them, we shouldn't hold the rest of the project and downstream hostage.

@reta if cool by you, you can edit this branch about spring boot version and merge!

Copy link
Member

@shakuzen shakuzen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@reta
Copy link
Contributor

reta commented Dec 4, 2024

I'm not sure why the lint check is failing given https://github.com/openzipkin/zipkin/pull/3785/files#diff-23773f5014e0437c31c4c94b70d816279ceba1e308127698bda89bf9582b09d5R4-R5 but looks good to me

It is because this link https://fluffy.cc/ is not available anymore, I will update docs shortly to remove it

@reta reta marked this pull request as ready for review December 4, 2024 12:44
@reta
Copy link
Contributor

reta commented Dec 4, 2024

Merging, thanks @codefromthecrypt and @shakuzen !

@reta reta merged commit 88e4683 into master Dec 4, 2024
14 checks passed
@reta reta deleted the docker-updates branch December 4, 2024 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants