Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve CVEs #514

Merged
merged 1 commit into from
Feb 23, 2023
Merged

Resolve CVEs #514

merged 1 commit into from
Feb 23, 2023

Conversation

deepakkinni
Copy link
Collaborator

@deepakkinni deepakkinni commented Feb 22, 2023
edited
Loading

What this PR does / why we need it:
Resolve multiple CVEs
CVE-2022-28948, CVE-2022-41717, CVE-2022-41721, CVE-2022-43551, CVE-2022-43552, CVE-2022-1304, CVE-2022-40303, CVE-2022-40304, CVE-2022-3996, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401, CVE-2022-46908

Which issue(s) this PR fixes:
Fixes # TKG-17459

Special notes for your reviewer:

docker run aquasec/trivy image harbor-repo.vmware.com/velero/velero-plugin-for-vsphere:up_vuln_v1-e7a5a5b-22.Feb.2023.13.00.57

harbor-repo.vmware.com/velero/velero-plugin-for-vsphere:up_vuln_v1-7e0a9be-22.Feb.2023.14.53.25 (photon 5.0)
============================================================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


backup-driver (gobinary)
========================
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM   │ v1.44.207         │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                           ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912 │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

data-manager-for-plugin (gobinary)
==================================
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM   │ v1.44.207         │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                           ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912 │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

plugins/velero-plugin-for-vsphere (gobinary)
============================================
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM   │ v1.44.207         │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                           ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912 │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Does this PR introduce a user-facing change?:

Update go mod to resolve CVE-2022-28948, CVE-2022-41717, CVE-2022-41721, CVE-2022-43551, CVE-2022-43552, 
CVE-2022-1304, CVE-2022-42898, CVE-2022-40303, CVE-2022-40304, CVE-2022-3996, CVE-2022-4203, 
CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401, 
CVE-2022-46908

@svcbot-qecnsdp
Copy link

Sorry, some of the pre-check tests are failing for this PR !

Please check the Jenkins job for more details
https://container-dp.svc.eng.vmware.com/job/CNSDP-CI/788/

Resolve CVEs
282dd76 
Signed-off-by: Deepak Kinni <dkinni@vmware.com>
@svcbot-qecnsdp
Copy link

Sorry, some of the pre-check tests are failing for this PR !

Please check the Jenkins job for more details
https://container-dp.svc.eng.vmware.com/job/CNSDP-CI/789/

xing-yang
xing-yang approved these changes Feb 23, 2023
View reviewed changes
Copy link
Contributor

@xing-yang xing-yang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@deepakkinni deepakkinni merged commit 547797e into vmware-tanzu:main Feb 23, 2023
lipingxue pushed a commit to lipingxue/velero-plugin-for-vsphere that referenced this pull request May 19, 2023
@lipingxue
Resolve CVEs (vmware-tanzu#514)
06638ef 
Resolve multiple CVEs
CVE-2022-28948, CVE-2022-41717, CVE-2022-41721, CVE-2022-43551, CVE-2022-43552, CVE-2022-1304, CVE-2022-40303, CVE-2022-40304, CVE-2022-3996, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401, CVE-2022-46908

Signed-off-by: Deepak Kinni <dkinni@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xing-yang xing-yang xing-yang approved these changes

@xinyanw409 xinyanw409 xinyanw409 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@deepakkinni @svcbot-qecnsdp @xing-yang @xinyanw409