chore: update fluent/fluentd base to v1.14.5 (#399)

* Upgrade fluent/fluentd base to v1.14.5 to fix ~100 CVEs * Update Ruby to 2.7 * Update vulnerable gem, cgi * Remove vulnerable versions of Ruby gem cgi * Update Dockerfile Co-authored-by: Dominik Rosiek <[email protected]> * Update Dockerfile Co-authored-by: Dominik Rosiek <[email protected]> * Update fluentd gem to 1.14.5 * Update gemfile * Update gemfile * Update serverengine to 2.2.5 * Update fluentd in all plugins * Update fluentd to 1.14.5 in alpine image Co-authored-by: Dominik Rosiek <[email protected]>
SumoLogic · Mar 7, 2022 · 6d75c1e · 6d75c1e
1 parent 6e7a202
commit 6d75c1e
Show file tree

Hide file tree

Showing 16 changed files with 67 additions and 65 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 ARG FLUENTD_ARCH
-FROM ruby:2.6.9-buster AS builder
+FROM ruby:2.7.5-bullseye AS builder
 
 # Dependencies
 RUN apt-get update \
@@ -23,7 +23,7 @@ RUN gem install \
 
 # Fluentd plugin dependencies
 RUN gem install \
-        fluentd:1.14.4 \
+        fluentd:1.14.5 \
         concurrent-ruby:1.1.8 \
         google-protobuf:3.19.2 \
         lru_redux:1.1.0 \
@@ -99,34 +99,36 @@ RUN gem install \
 RUN rm -rf /usr/local/bundle/cache/* \
  && find /usr/local/bundle/ -name "*.o" | xargs rm
 
-FROM fluent/fluentd:v1.14.4-debian${FLUENTD_ARCH}-1.0
+FROM fluent/fluentd:v1.14.5-debian${FLUENTD_ARCH}-1.0
 
 USER root
 
 # 1. Update system packages.
 # 2. Install required system packages.
-# 3. Clean up after system package installation.
-# 4. Delete vulnerable versions of Ruby gems to silence security scanners.
+# 3. Update vulnerable gem, cgi
+# 4. Clean up after system package installation.
+# 5. Delete vulnerable versions of Ruby gems to silence security scanners.
 RUN apt-get update \
  && apt-get upgrade --yes \
  && apt-get install --yes --no-install-recommends \
         libsnappy-dev \
         curl \
         jq \
+ && gem update cgi \
  && gem cleanup \
  && rm -rf /var/lib/apt/lists/ \
  && rm -rf /var/lib/dpkg/info/ \
- && rm -rf /usr/local/lib/ruby/2.6.0/bundler/ \
- && rm /usr/local/lib/ruby/2.6.0/bundler.rb \
- && rm /usr/local/lib/ruby/gems/2.6.0/specifications/default/bundler-*.gemspec \
- && rm -rf /usr/local/lib/ruby/2.6.0/json/ \
- && rm /usr/local/lib/ruby/2.6.0/json.rb \
- && rm /usr/local/lib/ruby/gems/2.6.0/specifications/default/json-*.gemspec \
- && rm -rf /usr/local/lib/ruby/2.6.0/rdoc/ \
- && rm /usr/local/lib/ruby/2.6.0/rdoc.rb \
- && rm /usr/local/lib/ruby/gems/2.6.0/specifications/default/rdoc-*.gemspec \
- && rm -rf /usr/local/lib/ruby/2.6.0/rexml/ \
- && rm /usr/local/lib/ruby/gems/2.6.0/specifications/default/rexml-*.gemspec
+ && rm -rf /usr/local/lib/ruby/2.7.0/bundler/ \
+ && rm /usr/local/lib/ruby/2.7.0/bundler.rb \
+ && rm /usr/local/lib/ruby/gems/2.7.0/specifications/default/bundler-*.gemspec \
+ && rm -rf /usr/local/lib/ruby/2.7.0/json/ \
+ && rm /usr/local/lib/ruby/2.7.0/json.rb \
+ && rm /usr/local/lib/ruby/gems/2.7.0/specifications/default/json-*.gemspec \
+ && rm -rf /usr/local/lib/ruby/2.7.0/rdoc/ \
+ && rm /usr/local/lib/ruby/2.7.0/rdoc.rb \
+ && rm /usr/local/lib/ruby/gems/2.7.0/specifications/default/rdoc-*.gemspec \
+ && rm -rf /usr/local/lib/ruby/2.7.0/rexml/ \
+ && rm /usr/local/lib/ruby/gems/2.7.0/specifications/default/rexml-*.gemspec
 
 COPY --from=builder --chown=fluent:fluent /usr/local/bundle /usr/local/bundle
 COPY ./entrypoint.sh /bin/

diff --git a/alpine.Dockerfile b/alpine.Dockerfile
@@ -24,7 +24,7 @@ RUN gem install \
         bigdecimal:1.4.4 \
         concurrent-ruby:1.1.8 \
         ext_monitor:0.1.2 \
-        fluentd:1.14.4 \
+        fluentd:1.14.5 \
         google-protobuf:3.19.2 \
         json:2.4.1 \
         lru_redux:1.1.0 \

diff --git a/fluent-plugin-datapoint/Gemfile.lock b/fluent-plugin-datapoint/Gemfile.lock
@@ -2,30 +2,30 @@ PATH
   remote: .
   specs:
     fluent-plugin-datapoint (2.0.0)
-      fluentd (= 1.14.4)
+      fluentd (= 1.14.5)
 
 GEM
   remote: https://rubygems.org/
   specs:
     concurrent-ruby (1.1.9)
     cool.io (1.7.1)
-    fluentd (1.14.4)
+    fluentd (1.14.5)
       bundler
       cool.io (>= 1.4.5, < 2.0.0)
       http_parser.rb (>= 0.5.1, < 0.9.0)
       msgpack (>= 1.3.1, < 2.0.0)
-      serverengine (>= 2.2.2, < 3.0.0)
+      serverengine (>= 2.2.5, < 3.0.0)
       sigdump (~> 0.2.2)
       strptime (>= 0.2.4, < 1.0.0)
       tzinfo (>= 1.0, < 3.0)
       tzinfo-data (~> 1.0)
       webrick (>= 1.4.2, < 1.8.0)
       yajl-ruby (~> 1.0)
     http_parser.rb (0.8.0)
-    msgpack (1.4.2)
+    msgpack (1.4.5)
     power_assert (2.0.1)
     rake (13.0.6)
-    serverengine (2.2.4)
+    serverengine (2.2.5)
       sigdump (~> 0.2.2)
     sigdump (0.2.4)
     strptime (0.2.5)

diff --git a/fluent-plugin-datapoint/fluent-plugin-datapoint.gemspec b/fluent-plugin-datapoint/fluent-plugin-datapoint.gemspec
@@ -18,5 +18,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "test-unit", "~> 3.0"
-  spec.add_runtime_dependency "fluentd", "= 1.14.4"
+  spec.add_runtime_dependency "fluentd", "= 1.14.5"
 end
diff --git a/fluent-plugin-enhance-k8s-metadata/Gemfile.lock b/fluent-plugin-enhance-k8s-metadata/Gemfile.lock
@@ -15,7 +15,7 @@ PATH
   specs:
     fluent-plugin-enhance-k8s-metadata (2.0.0)
       concurrent-ruby (~> 1.1)
-      fluentd (= 1.14.4)
+      fluentd (= 1.14.5)
       lru_redux (~> 1.1.0)
       net-http-persistent (~> 4.0)
 
@@ -42,12 +42,12 @@ GEM
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
-    fluentd (1.14.4)
+    fluentd (1.14.5)
       bundler
       cool.io (>= 1.4.5, < 2.0.0)
       http_parser.rb (>= 0.5.1, < 0.9.0)
       msgpack (>= 1.3.1, < 2.0.0)
-      serverengine (>= 2.2.2, < 3.0.0)
+      serverengine (>= 2.2.5, < 3.0.0)
       sigdump (~> 0.2.2)
       strptime (>= 0.2.4, < 1.0.0)
       tzinfo (>= 1.0, < 3.0)
@@ -69,7 +69,7 @@ GEM
     jsonpath (1.1.0)
       multi_json
     lru_redux (1.1.0)
-    msgpack (1.4.2)
+    msgpack (1.4.5)
     multi_json (1.15.0)
     multipart-post (2.1.1)
     net-http-persistent (4.0.1)
@@ -80,7 +80,7 @@ GEM
     recursive-open-struct (1.1.3)
     rexml (3.2.5)
     ruby2_keywords (0.0.4)
-    serverengine (2.2.4)
+    serverengine (2.2.5)
       sigdump (~> 0.2.2)
     sigdump (0.2.4)
     strptime (0.2.5)
@@ -112,4 +112,4 @@ DEPENDENCIES
   webmock (~> 3.0)
 
 BUNDLED WITH
-   2.2.33
+   2.3.4
diff --git a/fluent-plugin-enhance-k8s-metadata/fluent-plugin-enhance-k8s-metadata.gemspec b/fluent-plugin-enhance-k8s-metadata/fluent-plugin-enhance-k8s-metadata.gemspec
@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_runtime_dependency 'concurrent-ruby', '~> 1.1'
-  spec.add_runtime_dependency "fluentd", "= 1.14.4"
+  spec.add_runtime_dependency "fluentd", "= 1.14.5"
   # spec.add_runtime_dependency 'kubeclient', '4.9.1' # Git version of Kubeclient specified in Gemfile
   spec.add_runtime_dependency 'lru_redux', '~> 1.1.0'
   spec.add_runtime_dependency 'net-http-persistent', '~> 4.0'

diff --git a/fluent-plugin-events/Gemfile.lock b/fluent-plugin-events/Gemfile.lock
@@ -14,7 +14,7 @@ PATH
   remote: .
   specs:
     fluent-plugin-events (2.0.0)
-      fluentd (= 1.14.4)
+      fluentd (= 1.14.5)
       net-http-persistent (~> 4.0)
 
 GEM
@@ -40,12 +40,12 @@ GEM
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
-    fluentd (1.14.4)
+    fluentd (1.14.5)
       bundler
       cool.io (>= 1.4.5, < 2.0.0)
       http_parser.rb (>= 0.5.1, < 0.9.0)
       msgpack (>= 1.3.1, < 2.0.0)
-      serverengine (>= 2.2.2, < 3.0.0)
+      serverengine (>= 2.2.5, < 3.0.0)
       sigdump (~> 0.2.2)
       strptime (>= 0.2.4, < 1.0.0)
       tzinfo (>= 1.0, < 3.0)
@@ -67,7 +67,7 @@ GEM
     jsonpath (1.1.0)
       multi_json
     mocha (1.13.0)
-    msgpack (1.4.2)
+    msgpack (1.4.5)
     multi_json (1.15.0)
     multipart-post (2.1.1)
     net-http-persistent (4.0.1)
@@ -78,7 +78,7 @@ GEM
     recursive-open-struct (1.1.3)
     rexml (3.2.5)
     ruby2_keywords (0.0.4)
-    serverengine (2.2.4)
+    serverengine (2.2.5)
       sigdump (~> 0.2.2)
     sigdump (0.2.4)
     strptime (0.2.5)
@@ -111,4 +111,4 @@ DEPENDENCIES
   webmock (~> 3.0)
 
 BUNDLED WITH
-   2.2.33
+   2.3.4
diff --git a/fluent-plugin-events/fluent-plugin-events.gemspec b/fluent-plugin-events/fluent-plugin-events.gemspec
@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "test-unit", "~> 3.0"
-  spec.add_runtime_dependency "fluentd", "= 1.14.4"
+  spec.add_runtime_dependency "fluentd", "= 1.14.5"
   # spec.add_runtime_dependency 'kubeclient', '4.9.1' # Git version of Kubeclient specified in Gemfile
   spec.add_runtime_dependency 'net-http-persistent', '~> 4.0'
   spec.add_development_dependency 'webmock', '~> 3.0'

diff --git a/fluent-plugin-kubernetes-metadata-filter/Gemfile.lock b/fluent-plugin-kubernetes-metadata-filter/Gemfile.lock
@@ -14,7 +14,7 @@ PATH
   remote: .
   specs:
     fluent-plugin-kubernetes-metadata-filter (2.5.3)
-      fluentd (= 1.14.4)
+      fluentd (= 1.14.5)
       lru_redux
       net-http-persistent (~> 4.0)
 
@@ -50,12 +50,12 @@ GEM
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
-    fluentd (1.14.4)
+    fluentd (1.14.5)
       bundler
       cool.io (>= 1.4.5, < 2.0.0)
       http_parser.rb (>= 0.5.1, < 0.9.0)
       msgpack (>= 1.3.1, < 2.0.0)
-      serverengine (>= 2.2.2, < 3.0.0)
+      serverengine (>= 2.2.5, < 3.0.0)
       sigdump (~> 0.2.2)
       strptime (>= 0.2.4, < 1.0.0)
       tzinfo (>= 1.0, < 3.0)
@@ -85,7 +85,7 @@ GEM
     lru_redux (1.1.0)
     mini_mime (1.0.2)
     minitest (5.15.0)
-    msgpack (1.4.2)
+    msgpack (1.4.5)
     multi_json (1.15.0)
     multipart-post (2.1.1)
     net-http-persistent (4.0.1)
@@ -115,7 +115,7 @@ GEM
     ruby-progressbar (1.11.0)
     ruby2_keywords (0.0.4)
     rugged (1.1.0)
-    serverengine (2.2.4)
+    serverengine (2.2.5)
       sigdump (~> 0.2.2)
     sigdump (0.2.4)
     simplecov (0.13.0)
@@ -165,4 +165,4 @@ DEPENDENCIES
   yajl-ruby
 
 BUNDLED WITH
-   2.2.33
+   2.3.4
diff --git a/fluent-plugin-kubernetes-metadata-filter/fluent-plugin-kubernetes-metadata-filter.gemspec b/fluent-plugin-kubernetes-metadata-filter/fluent-plugin-kubernetes-metadata-filter.gemspec
@@ -17,7 +17,7 @@ Gem::Specification.new do |gem|
 
   gem.required_ruby_version = '>= 2.5.0'
 
-  gem.add_runtime_dependency "fluentd", "= 1.14.4"
+  gem.add_runtime_dependency "fluentd", "= 1.14.5"
   gem.add_runtime_dependency "lru_redux"
   # gem.add_runtime_dependency 'kubeclient', '< 5' # Git version of Kubeclient specified in Gemfile
   gem.add_runtime_dependency 'net-http-persistent', '~> 4.0'

diff --git a/fluent-plugin-kubernetes-sumologic/Gemfile.lock b/fluent-plugin-kubernetes-sumologic/Gemfile.lock
@@ -2,7 +2,7 @@ PATH
   remote: .
   specs:
     fluent-plugin-kubernetes-sumologic (2.0.0)
-      fluentd (= 1.14.4)
+      fluentd (= 1.14.5)
       httpclient (~> 2.8.0)
 
 GEM
@@ -17,12 +17,12 @@ GEM
     crack (0.4.5)
       rexml
     docile (1.3.5)
-    fluentd (1.14.4)
+    fluentd (1.14.5)
       bundler
       cool.io (>= 1.4.5, < 2.0.0)
       http_parser.rb (>= 0.5.1, < 0.9.0)
       msgpack (>= 1.3.1, < 2.0.0)
-      serverengine (>= 2.2.2, < 3.0.0)
+      serverengine (>= 2.2.5, < 3.0.0)
       sigdump (~> 0.2.2)
       strptime (>= 0.2.4, < 1.0.0)
       tzinfo (>= 1.0, < 3.0)
@@ -32,12 +32,12 @@ GEM
     hashdiff (1.0.1)
     http_parser.rb (0.8.0)
     httpclient (2.8.3)
-    msgpack (1.4.2)
+    msgpack (1.4.5)
     power_assert (2.0.0)
     public_suffix (4.0.6)
     rake (13.0.3)
     rexml (3.2.5)
-    serverengine (2.2.4)
+    serverengine (2.2.5)
       sigdump (~> 0.2.2)
     sigdump (0.2.4)
     simplecov (0.21.2)
@@ -73,4 +73,4 @@ DEPENDENCIES
   webmock
 
 BUNDLED WITH
-   2.2.33
+   2.3.4
diff --git a/fluent-plugin-kubernetes-sumologic/fluent-plugin-kubernetes-sumologic.gemspec b/fluent-plugin-kubernetes-sumologic/fluent-plugin-kubernetes-sumologic.gemspec
@@ -22,6 +22,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rake"
   spec.add_development_dependency 'test-unit', '~> 3.4.0'
   spec.add_development_dependency "codecov", ">= 0.1.10"
-  spec.add_runtime_dependency "fluentd", "= 1.14.4"
+  spec.add_runtime_dependency "fluentd", "= 1.14.5"
   spec.add_runtime_dependency 'httpclient', '~> 2.8.0'
 end
diff --git a/fluent-plugin-prometheus-format/Gemfile.lock b/fluent-plugin-prometheus-format/Gemfile.lock
@@ -2,30 +2,30 @@ PATH
   remote: .
   specs:
     fluent-plugin-prometheus-format (2.0.0)
-      fluentd (= 1.14.4)
+      fluentd (= 1.14.5)
 
 GEM
   remote: https://rubygems.org/
   specs:
     concurrent-ruby (1.1.9)
     cool.io (1.7.1)
-    fluentd (1.14.4)
+    fluentd (1.14.5)
       bundler
       cool.io (>= 1.4.5, < 2.0.0)
       http_parser.rb (>= 0.5.1, < 0.9.0)
       msgpack (>= 1.3.1, < 2.0.0)
-      serverengine (>= 2.2.2, < 3.0.0)
+      serverengine (>= 2.2.5, < 3.0.0)
       sigdump (~> 0.2.2)
       strptime (>= 0.2.4, < 1.0.0)
       tzinfo (>= 1.0, < 3.0)
       tzinfo-data (~> 1.0)
       webrick (>= 1.4.2, < 1.8.0)
       yajl-ruby (~> 1.0)
     http_parser.rb (0.8.0)
-    msgpack (1.4.2)
+    msgpack (1.4.5)
     power_assert (2.0.1)
     rake (13.0.6)
-    serverengine (2.2.4)
+    serverengine (2.2.5)
       sigdump (~> 0.2.2)
     sigdump (0.2.4)
     strptime (0.2.5)
@@ -48,4 +48,4 @@ DEPENDENCIES
   test-unit (~> 3.0)
 
 BUNDLED WITH
-   2.2.33
+   2.3.4
diff --git a/fluent-plugin-prometheus-format/fluent-plugin-prometheus-format.gemspec b/fluent-plugin-prometheus-format/fluent-plugin-prometheus-format.gemspec
@@ -18,5 +18,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "test-unit", "~> 3.0"
-  spec.add_runtime_dependency "fluentd", "= 1.14.4"
+  spec.add_runtime_dependency "fluentd", "= 1.14.5"
 end