Skip to content

Upgrade containerd and image-spec for the vulnerabilities #662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 9, 2021
Merged

Upgrade containerd and image-spec for the vulnerabilities #662

merged 3 commits into from
Dec 9, 2021

Conversation

mopp
Copy link
Contributor

@mopp mopp commented Dec 7, 2021

Background

We have used migrate in our applications and configured Dependabot alerts by GitHub.
It notified us that containerd and image-spec had vulnerabilities. But we don't use them directly.
Then, I created this PR to upgrade.

I am not sure how migrate use them 🙏

mopp
mopp commented Dec 7, 2021
View reviewed changes
go.mod Outdated
github.com/cockroachdb/cockroach-go/v2 v2.1.1
github.com/containerd/containerd v1.5.8 // indirect
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://github.com/containerd/containerd/releases/tag/v1.5.8

mopp
mopp commented Dec 7, 2021
View reviewed changes
go.mod Outdated
@@ -40,6 +41,7 @@ require (
github.com/mutecomm/go-sqlcipher/v4 v4.4.0
github.com/nakagami/firebirdsql v0.0.0-20190310045651-3c02a58cfed8
github.com/neo4j/neo4j-go-driver v1.8.1-0.20200803113522-b626aa943eba
github.com/opencontainers/image-spec v1.0.2 // indirect
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://github.com/opencontainers/image-spec/releases/tag/v1.0.2

mopp
mopp commented Dec 7, 2021
View reviewed changes
go.mod
@@ -9,8 +9,9 @@ require (
github.com/apache/arrow/go/arrow v0.0.0-20211013220434-5962184e7a30 // indirect
github.com/aws/aws-sdk-go v1.17.7
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.5.4 // indirect
github.com/cenkalti/backoff/v4 v4.0.2
github.com/cenkalti/backoff/v4 v4.1.1
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See cenkalti/backoff@v4.0.2...v4.1.1

@coveralls
Copy link

coveralls commented Dec 7, 2021
edited
Loading

Pull Request Test Coverage Report for Build 1553106903

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 12 unchanged lines in 1 file lost coverage.
  • Overall coverage increased (+0.06%) to 57.8%
Files with Coverage Reduction New Missed Lines %
source/migration.go 12 13.64%
Totals Coverage Status
Change from base Build 1497266502: 0.06%
Covered Lines: 3731
Relevant Lines: 6455
💛 - Coveralls

@dhui
Copy link
Member

dhui commented Dec 8, 2021

My guess is that these dependencies are via dktest but there may be other packages that depend on these packages as well. I'm not too concerned about these from a security perspective since these packages should only be used when tests are running, so you shouldn't be vulnerable via migrate unless you're running the migrate tests. Nonetheless, we'll make sure this is fixed in the next release.

@dhui
Copy link
Member

dhui commented Dec 8, 2021

Could you try updating dktest to v0.3.8 and run go mod tidy to see if that fixes the issue?

@mopp
Copy link
Contributor Author

mopp commented Dec 8, 2021

Thanks for your comment.
Ah, I misunderstood. These libraries are also indirect dependencies from migrate.
Please check the commit
9975d48

Yes, I know that migrate uses them in the test only. But the Dependabot alerts by GitHub does not regard that unfortunately and just send us vulnerability alert 😢 So the reason why I sent this PR is just to suppress the alert in our repository.

Thanks.

mopp
mopp commented Dec 8, 2021
View reviewed changes
go.mod
github.com/cockroachdb/cockroach-go/v2 v2.1.1
github.com/cznic/mathutil v0.0.0-20180504122225-ca4c9f2c1369 // indirect
github.com/denisenkom/go-mssqldb v0.10.0
github.com/dhui/dktest v0.3.7
github.com/dhui/dktest v0.3.8
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://github.com/dhui/dktest/releases/tag/v0.3.8

@dhui dhui merged commit 918e13a into golang-migrate:master Dec 9, 2021
@mopp mopp deleted the upgrade_containerd branch December 10, 2021 02:23
@xrn
Copy link

xrn commented Dec 17, 2021

@dhui any chance for a new release with these changes?

@Tarang
Copy link

Tarang commented Jan 28, 2022

Any chance this can be put into release?

@maknahar
Copy link
Contributor

Any Idea when this change can be released?

@xrn
Copy link

xrn commented Mar 15, 2022

@dhui ?

@dhui
Copy link
Member

dhui commented Mar 17, 2022

I just updated dktest to v0.3.10 in migrate (master branch) which should fix known security issues and appease the security vulnerability scanners. If you'd also like to quiet your vulnerability scanners, use the master branch until the next release is cut. Although the master branch is not stable, any issues caused by recent changes (e.g. PR merges) will be promptly addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhui dhui dhui approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mopp @coveralls @dhui @xrn @Tarang @maknahar