Skip to content

Update prometheus-common dependency to address CVE #454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 29, 2024
Merged

Update prometheus-common dependency to address CVE #454

merged 1 commit into from
Jan 29, 2024

Conversation

Fiona-Waters
Copy link
Contributor

@Fiona-Waters Fiona-Waters commented Jan 26, 2024
edited
Loading

Issue link

https://issues.redhat.com/browse/RHOAIENG-1311

What changes have been made

This PR will address a Medium level CVE:

Introduced through: golang.org/x/crypto@v0.14.0, golang.org/x/net@v0.17.0 and others.
Fixed in: golang.org/x/crypto@0.17.0

In order to update this indirect dependency I updated prometheus-common dependency to v.0.46.0 which uses crypto v.0.18.0.

Verification steps

E2E tests passing successfully will suffice.

Checks

  • I've made sure the tests are passing.
  • Testing Strategy
    • Unit tests
    • Manual tests
    • Testing is not required for this change

ChristianZaccaria
ChristianZaccaria suggested changes Jan 26, 2024
View reviewed changes
Copy link
Contributor

@ChristianZaccaria ChristianZaccaria left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You got the right idea! But, usually, when an upgrade adds/removes a lot of dependencies (direct, indirect or transitive) it is best to verify that no new CVEs were introduced in the process.

I have Snyk setup in my own org to scan my own forked repositories on PRs made, for scenarios that include lots of changes. I made a PR in my fork with this fix, which show that the CVE was effectively fixed, but a new one was introduced: ChristianZaccaria#7

I think we could look into golang.org/x/net@v0.17.0 as it was also introduced through that one, perhaps changes are less involved there.

@Fiona-Waters Fiona-Waters changed the title Update ocm-sdk dependency to address CVE Update prometheus-common dependency to address CVE Jan 26, 2024
ChristianZaccaria
ChristianZaccaria approved these changes Jan 26, 2024
View reviewed changes
Copy link
Contributor

@ChristianZaccaria ChristianZaccaria left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm great work!

@openshift-ci openshift-ci bot added the lgtm label Jan 26, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 29, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ChristianZaccaria, sutaakar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit f52d75d into project-codeflare:main Jan 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sutaakar sutaakar sutaakar approved these changes

@ChristianZaccaria ChristianZaccaria ChristianZaccaria approved these changes

@dimakis dimakis Awaiting requested review from dimakis

Assignees

@sutaakar sutaakar

@ChristianZaccaria ChristianZaccaria

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Fiona-Waters @sutaakar @ChristianZaccaria