-
Notifications
You must be signed in to change notification settings - Fork 514
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update core Go version in go.mod #495
Conversation
@dragonsinth Thank you. See if this works for you. Trivy appears to show this clears the outstanding vulns. |
sweet, thank you! |
What's your process to cut a release? |
@gpassini just released 1.9.2 |
Thank you so much! |
It still has some vulnerabilities, CVE-2024-24790 and CVE-2023-45285, which requires go upgrade to 1.21.11 |
Is there a plan to upgrade to 1.22 or 1.23? |
@fivetran-ashokborra Which scanner still detects these vulns in v1.9.2? I have tried Trivy and Grype and neither report these. |
@nycnewman Google's container scanning API |
@fivetran-ashokborra Just scanned grpcurl:1.9.2 docker image in Google Artifact scanner and it finds no vulnerabilities. 1.9.1 finds three. |
Could you use go version 1.21 (same as the one defined in go.mod) to build the binary and let me know what you see? |
@fivetran-ashokborra As requested, tested with 1.21 and it finds the following, which it also recommends usig 1.22 or 1.23 to resolve: ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐ |
Interesting, these don't show up in our scanning results. I see the current go version defined is 1.21 in go.mod file of the latest code, how was the 1.9.2 binary built with 1.23? |
@fivetran-ashokborra, the |
hmm, I would have thought our release binaries would match our docker image in terms of toolchain... |
@dragonsinth, I think you may need an env var to force this make step to use a newer toolchain: https://github.com/fullstorydev/grpcurl/blob/master/Makefile#L33 Something like The issue is because releasing supports multiple platforms (including OS X of course) whereas Docker does not. So it uses a tool named |
One option to make them consistent would be to have the A possibly better option might be to move the Docker builds into goreleaser configs. Then the same Also, instead of using the |
Updates to fix identified CVEs in stdlib