Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle CVE-2022-27191 #725

Merged
merged 1 commit into from
Apr 22, 2022
Merged

Handle CVE-2022-27191 #725

merged 1 commit into from
Apr 22, 2022

Conversation

smuda
Copy link
Contributor

@smuda smuda commented Apr 21, 2022

Description

Running trivy reveals CVE-2022-27191 in golang.org/x/crypto

LIBRARY VULNERABILITY ID SEVERITY INSTALLED VERSION FIXED VERSION TITLE
golang.org/x/crypto CVE-2022-27191 HIGH v0.0.0-20201002170205-7f63de1d35b0 0.0.0-20220315160706-3147a52a75dd golang: crash in a golang.org/x/crypto/ssh server -->avd.aquasec.com/nvd/cve-2022-27191

That indirect dependency is coming from a number of dependencies:

% go mod graph | grep v0.0.0-20201002170205-7f63de1d35b0                                          
k8s.io/[email protected] golang.org/x/[email protected]
github.com/Azure/go-autorest/autorest/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
k8s.io/[email protected] golang.org/x/[email protected]
k8s.io/[email protected] golang.org/x/[email protected]

If we don't want to update all dependencies, a simple replace directive will handle the CVE.

Relevant issues/tickets

The issue was detected in PR #724

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • This change requires a documentation update
  • I have added tests that prove my fix is effective or that my feature works
  • I have added a test case that will be used to verify my changes
  • Verified independently on a cluster by reviewer

Verification steps

$ docker build --no-cache -t grafana-operator:cve . 
$ trivy image --vuln-type  os,library --severity  CRITICAL,HIGH --no-progress grafana-operator:cve

@NissesSenap
Copy link
Collaborator

Thanks alot for this, I saw the error yesterday but I didn't have time to actually think of what the problem was.

@smuda was going to rebase your branch but I don't think you have given maintainers right to update your branches so you have to do it yourself.
Ping me when it's done and I will merge the PR.

@smuda
Copy link
Contributor Author

smuda commented Apr 22, 2022

@NissesSenap Rebased and tests pass.

And I'll look into giving maintainers rights, I didn't know I could/should do something like that... :-)

@NissesSenap NissesSenap merged commit e02ef8c into grafana:master Apr 22, 2022
@smuda smuda deleted the bugfix/CVE-2022-27191 branch April 22, 2022 06:38
@NissesSenap
Copy link
Collaborator

@smuda if I remember correctly it's when you create the PR. You will get a question if you want to allow mainatinters update things. We will be able to jump in and update the branch of the fork to help with things like this.

@NissesSenap
Copy link
Collaborator

@smuda I looked at your PR again, you are coming you have forked the repo with another organization. And I guess from a security point of view GitHub don't allow maintainers update other organization branches. But if you would run the fork from your user and not the organizations then it would be possible.

But it's not a big issue from our side but good for you to know and especially since we enforce latest commit to be in the PR so from time to time you might have to go in and update your PR:s.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants