Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cluster-autoscaler: update otelgrpc to v0.46.0 for SVM #6279

Closed
grosser opened this issue Nov 15, 2023 · 10 comments
Closed

cluster-autoscaler: update otelgrpc to v0.46.0 for SVM #6279

grosser opened this issue Nov 15, 2023 · 10 comments
Labels
area/cluster-autoscaler area/core-autoscaler Denotes an issue that is related to the core autoscaler and is not specific to any provider. kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@grosser
Copy link
Contributor

grosser commented Nov 15, 2023
edited
Loading

https://nvd.nist.gov/vuln/detail/CVE-2023-47108

Which component are you using?:

cluster-autoscaler

What version of the component are you using?:

master

HIGH	CVE-2023-47108	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	0.45.0	0.46.0	GHSA-8pgv-569h-w5rw	COPY /go/autosc

updating to 0.45 works, but 0.46 breaks the build
@grosser grosser added the kind/bug Categorizes issue or PR as related to a bug. label Nov 15, 2023
@grosser
Copy link
Contributor Author

grosser commented Nov 15, 2023

this seems to do the trick:

go mod edit -replace go.opentelemetry.io/otel/metric=go.opentelemetry.io/otel/[email protected]
go mod edit -replace go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc=go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]
go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected]

@grosser grosser mentioned this issue Nov 15, 2023
Closed
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 13, 2024
@Shubham82
Copy link
Contributor

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 20, 2024
@m-barthelemy m-barthelemy mentioned this issue Mar 14, 2024
Closed
@gjtempleton
Copy link
Member

We're largely dependent on this being resolved upstream as it's a dependency we pull in when vendoring k/k: kubernetes/kubernetes#121842

In addition, my reading of this is that we're at low/no risk of it being exploited as we only use the UnaryServerInterceptor in the externalgrpc cloudprovider implementation, and we don't appear to have a metrics pipeline configured for it? Or am I missing something?

@grosser
Copy link
Contributor Author

grosser commented Mar 14, 2024

just our vuln scanner complaining and I would like to shut it up :D
... so yeah can wait until upstream fixes it, but would like to have it resolved eventually

@towca towca added area/cluster-autoscaler area/core-autoscaler Denotes an issue that is related to the core autoscaler and is not specific to any provider. labels Mar 21, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 19, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jul 19, 2024
@Shubham82
Copy link
Contributor

Shubham82 commented Jul 22, 2024
edited
Loading

The vulnerability CVE-2023-47108 is resolved now, related package otelgrpc is updated to v0.53.0. I checked the vulnerability for the k8s/autoscaler repository and there is no CVE-2023-47108 (used trivy for scanning)

autoscaler/cluster-autoscaler/go.mod

Line 171 in c8e4721

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect

PR which resolved this issue: #7066

@Shubham82
Copy link
Contributor

closing this issue, please reopen if there is any concern.

/close

@k8s-ci-robot
Copy link
Contributor

@Shubham82: Closing this issue.

In response to this:

closing this issue, please reopen if there is any concern.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/cluster-autoscaler area/core-autoscaler Denotes an issue that is related to the core autoscaler and is not specific to any provider. kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cluster-autoscaler: update for svm zendesk/autoscaler
6 participants
@grosser @gjtempleton @towca @k8s-ci-robot @Shubham82 @k8s-triage-robot