[Bug]: Resolve High CVEs #123

sonrai-doyle · 2023-01-24T20:02:11Z

What happened?

We currently use the jaeger-clickhouse image and our security team has flagged it as being impacted by two HIGH CVEs

To resolve these CVEs the following packages need to be updated to a minimum version of:

golang.org/x/net - 0.1.1-0.20221104162952-702349b0e862
golang.org/x/text - 0.3.8

We prefer to have the packages fixed upstream to ensure that everyone can benefit from the updates.

Steps to reproduce

Using a vulnerability scanners (e.g. aqua/trivy) scan the jaeger-clickhouse image

trivy image jaeger-clickhouse:0.13.0

Expected behavior

No vulnerabilities listed.

Relevant log output

No response

Screenshot

No response

Additional context

No response

Jaeger backend version

No response

SDK

No response

Pipeline

No response

Stogage backend

No response

Operating system

No response

Deployment model

No response

Deployment configs

No response

The text was updated successfully, but these errors were encountered:

sonrai-doyle added the bug Something isn't working label Jan 24, 2023

sonrai-doyle changed the title ~~[Bug]:~~ [Bug]: Resolve High CVEs Jan 24, 2023

sonrai-doyle linked a pull request Jan 24, 2023 that will close this issue

Update x/net and x/text dependencies #124

Open

DarkWanderer mentioned this issue Mar 8, 2023

Enable dependabot integration #127

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: Resolve High CVEs #123

[Bug]: Resolve High CVEs #123

sonrai-doyle commented Jan 24, 2023

[Bug]: Resolve High CVEs #123

[Bug]: Resolve High CVEs #123

Comments

sonrai-doyle commented Jan 24, 2023

What happened?

Steps to reproduce

Expected behavior

Relevant log output

Screenshot

Additional context

Jaeger backend version

SDK

Pipeline

Stogage backend

Operating system

Deployment model

Deployment configs