Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Private tokens could appear in logs if context containing gRPC metadata is logged #97

Open
strausmann opened this issue Sep 10, 2024 · 5 comments

Comments

@strausmann
Copy link
Contributor

I get this CVE reported by the Docker Scout for itzg/mc-monitor.
Unfortunately,I can't find the place in the code to submit a PR.

LOW: GHSA-xr7q-jx4m-x55m

image

grpc/grpc-go@ab29241

Can we fix that?

@itzg
Copy link
Owner

itzg commented Sep 10, 2024

Seems like it would be the indirect dependency here:

google.golang.org/grpc v1.64.0 // indirect

I would have expected dependabot to already be addressing that on the next round.

Are you really wanting to chase down all these low priority CVEs? I know I don't really care to.

@strausmann
Copy link
Contributor Author

No, not necessarily. is just a nice to have.

@vitorvasc
Copy link
Contributor

Hey.

Not sure if there is any other dependency that downloads the GRPC, but in general It should come from Open Telemetry. Updating the dependencies to v1.29.0 should do the trick!

https://github.com/open-telemetry/opentelemetry-go/releases

https://github.com/itzg/mc-monitor/blob/3c931ec973e78ac576395043a27cd7f917f93ee4/go.mod

	go.opentelemetry.io/otel v1.29.0
	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0
	go.opentelemetry.io/otel/metric v1.29.0
	go.opentelemetry.io/otel/sdk/metric v1.29.0

@itzg
Copy link
Owner

itzg commented Sep 11, 2024

Thanks @vitorvasc ! I'm actually curious if the weekly run of dependabot (on Mondays for this repo) will bump that anyway.

@strausmann
Copy link
Contributor Author

Maybe try Renovate if Dependabot doesn't do something like this reliably; then Semantic Release for automatic publication with relevant code changes. 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants