Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: vulnerabilities with older image versions for golang libraries in milvus #34434

Closed
1 task done
kdabbir opened this issue Jul 4, 2024 · 3 comments · Fixed by #34462
Closed
1 task done

[Bug]: vulnerabilities with older image versions for golang libraries in milvus #34434

kdabbir opened this issue Jul 4, 2024 · 3 comments · Fixed by #34462
Assignees
@xiaofan-luan
Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@kdabbir
Copy link

kdabbir commented Jul 4, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Environment

- Milvus version: 2.4.5
- Deployment mode(standalone or cluster): cluster
- MQ type(rocksmq, pulsar or kafka):  kafka hosted on AWS
- SDK version(e.g. pymilvus v2.0.0rc2): 2.4.5

Current Behavior

Hi team,
Our code scanners is detecting multiple vulnerabilities in below images in milvus image, can we get these versions upgraded? I've linked the current version and fix version for reference in the image paths.

  1. golang:go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
    Current version: v0.38.0
    Fix version: v0.46.0
  2. golang:google.golang.org/protobuf/internal/encoding/json
    Current version: v1.31.0
    Fix version: v1.33.0
  3. golang:github.com/nats-io/nkeys
    Current version: v0.4.4
    Fix version: v0.4.6
  4. golang:github.com/dvsekhvalnov/jose2go
    Current version: v1.5.0
    Fix version: v1.5.1-0.20231206184617-48ba0b76bc88
  5. golang:golang.org/x/net/http2
    Current version: v0.17.0
    Fix version: v0.23.0
  6. golang:google.golang.org/protobuf/encoding/protojson
    Current version: v1.31.0
    Fix version: v1.33.0
  7. golang:google.golang.org/grpc
    Current version: v1.54.0
    Fix version: v1.56.3

Thanks.

Expected Behavior

No response

Steps To Reproduce

No response

Milvus Log

No response

Anything else?

No response
@kdabbir kdabbir added kind/bug Issues or changes related a bug needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 4, 2024
@yanliang567
Copy link
Contributor

/assign @xiaofan-luan
please help to have someone take a look
/unassign
@yanliang567 yanliang567 added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 5, 2024
@SimFG
Copy link
Contributor

SimFG commented Jul 5, 2024

It seems that these versions can be upgraded, but it may still need to be evaluated whether there are compatibility issues. Can you share the code scanner tool?
@kdabbir
Copy link
Author

kdabbir commented Jul 5, 2024

@SimFG attached the CVE vulnerability name screenshot against each of the above library. Code scanner is similar to a sonarqube scanner, we don't have public access to that tool so attaching the screenshots

Screenshot 2024-07-05 at 2 13 30 PM Screenshot 2024-07-05 at 2 13 03 PM
@xiaofan-luan xiaofan-luan mentioned this issue Jul 6, 2024
Merged
@xiaofan-luan xiaofan-luan mentioned this issue Jul 15, 2024
Merged
sre-ci-robot pushed a commit that referenced this issue Jul 16, 2024
@xiaofan-luan
fix: CVE by upgrading some dependencies. (#34462)
be7760a 
fix #34434 and #34456
upgrade otelgrpc to fix CVE

Signed-off-by: xiaofanluan <xiaofan.luan@zilliz.com>
sre-ci-robot pushed a commit that referenced this issue Jul 16, 2024
@xiaofan-luan
fix: CVE by upgrading some dependencies. (#34693)
66b5cbe 
fix #34434 and #34456
upgrade otelgrpc to fix CVE

Signed-off-by: xiaofanluan <xiaofan.luan@zilliz.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.
4 participants
@SimFG @kdabbir @yanliang567 @xiaofan-luan