Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed: vulnerabilities scanned with govulncheck #2841

Merged
merged 2 commits into from
Dec 9, 2022

Conversation

aimuz
Copy link
Collaborator

@aimuz aimuz commented Dec 2, 2022

Signed-off-by: aimuz [email protected]

What type of PR is this?

Uncomment only one /kind <> line, press enter to put that in a new line, and remove leading whitespace from that line:

/kind breaking
/kind bug
/kind cleanup
/kind documentation
/kind feature
/kind hotfix

/kind bug

What this PR does / Why we need it:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.
  Found in: golang.org/x/net/[email protected]
  Fixed in: golang.org/x/net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0969

Vulnerability #2: GO-2022-0493
  When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.
  Found in: golang.org/x/sys/[email protected]
  Fixed in: golang.org/x/sys/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0493

Vulnerability #3: GO-2022-0322
  The Prometheus client_golang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods.

  In order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler* middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass a metric with a "method" label name to a middleware; and not have any firewall/LB/proxy that filters away requests with unknown "method".
  Found in: github.com/prometheus/client_golang/prometheus/[email protected]
  Fixed in: github.com/prometheus/client_golang/prometheus/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0322

Which issue(s) this PR fixes:

Closes #

Special notes for your reviewer:

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: ee6176cd-0ef3-445d-bb66-b209019d404f

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@aimuz aimuz force-pushed the fix-with-govulncheck branch from e29dfbb to 0f1608c Compare December 2, 2022 08:41
@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: 48224202-2aa2-405b-8098-a3ca112ea5ab

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/2841/head:pr_2841 && git checkout pr_2841
  • helm install agones ./install/helm/agones --namespace agones-system --set agones.image.tag=1.28.0-0f1608c-amd64

@zmerlynn zmerlynn self-assigned this Dec 2, 2022
@zmerlynn
Copy link
Collaborator

zmerlynn commented Dec 2, 2022

Should we add govulncheck to CI? (Though I guess that would make it non-hermetic.)

@zmerlynn
Copy link
Collaborator

zmerlynn commented Dec 2, 2022

This LGTM, and I would be inclined to take it even in feature freeze, but (a) nothing in that list seems uber critical, and (b) the large number of vendored code changes makes me inclined to let this bake. So, approved, but after freeze.

@zmerlynn zmerlynn added the feature-freeze-do-not-merge Only eligible to be merged once we are out of feature freeze (next full release) label Dec 2, 2022
@markmandel
Copy link
Member

Should we add govulncheck to CI? (Though I guess that would make it non-hermetic.)

I looked for a tool like this ages ago - I'd love to see it in CI! But let's file a big and take through it 👍🏻

@roberthbailey
Copy link
Member

FYI, this is likely to have conflicts with #2786 since they are both touching the protobuf dependency so we should figure out which one to merge first after the release freeze is lifted.

@aimuz
Copy link
Collaborator Author

aimuz commented Dec 3, 2022

@roberthbailey I don't care which one is merged first, if there is a conflict, I will solve it. 😀

@mangalpalli mangalpalli removed the feature-freeze-do-not-merge Only eligible to be merged once we are out of feature freeze (next full release) label Dec 7, 2022
@markmandel
Copy link
Member

That's a lot of conflicts 😨

But yeah - if we can get those cleaned up, this should be good to go 👍🏻

@aimuz aimuz force-pushed the fix-with-govulncheck branch from 0f1608c to 480e01d Compare December 9, 2022 01:59
@aimuz
Copy link
Collaborator Author

aimuz commented Dec 9, 2022

Yes, I resolved the conflict

@markmandel
Copy link
Member

Thank you!

@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: 9446c066-9608-452d-a0d2-3273900f6587

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/2841/head:pr_2841 && git checkout pr_2841
  • helm install agones ./install/helm/agones --namespace agones-system --set agones.image.tag=1.29.0-480e01d-amd64

@google-oss-prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aimuz, roberthbailey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@roberthbailey roberthbailey enabled auto-merge (squash) December 9, 2022 05:26
@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: 048f2f57-bdd7-4273-aa06-67a9473fe9e0

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/2841/head:pr_2841 && git checkout pr_2841
  • helm install agones ./install/helm/agones --namespace agones-system --set agones.image.tag=1.29.0-4f10676-amd64

@roberthbailey roberthbailey merged commit 3dec30e into googleforgames:main Dec 9, 2022
@aimuz aimuz deleted the fix-with-govulncheck branch December 9, 2022 06:10
chiayi pushed a commit to chiayi/agones that referenced this pull request Dec 13, 2022
@Kalaiselvi84 Kalaiselvi84 added this to the 1.29.0 milestone Jan 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants