Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade indirect dependancy go-libp2p-core to v0.20.1 #1626

Merged
merged 1 commit into from
Dec 9, 2022
Merged

Upgrade indirect dependancy go-libp2p-core to v0.20.1 #1626

merged 1 commit into from
Dec 9, 2022

Conversation

bsalunke
Copy link
Contributor

@bsalunke bsalunke commented Dec 8, 2022

Upgrade indirect dependancy go-libp2p-core v0.8.6 to go-libp2p-core v0.20.1 to remove indirect dependacy of btcd module which is vulnerable to CVE-2022-44797

What is it fixing
Nerdctl has an indirect dependency module ("github.com/btcsuite/btcd v0.21.0-beta) having vulnerability reported https://nvd.nist.gov/vuln/detail/CVE-2022-44797.

As explained by @AkihiroSuda, it's false positive and nerdctl does not trigger the code path in any way to invoke "btcd" module. The fix provided was VEX set to eliminate #1571

However APIK some of the open source scanner does not support VEX as of today. e.g. aquasecurity/trivy#1836.

Fix
Upgrade indirect dependancy go-libp2p-core v0.8.6 to go-libp2p-core v0.20.1

Please let me know if more information needs to be added.

@bsalunke bsalunke mentioned this pull request Dec 8, 2022
Closed
@bsalunke bsalunke force-pushed the upgrade_indirect_dependancy_module_to_fix_fp_CVE-2022-44797 branch from d440049 to f0d8d90 Compare December 8, 2022 20:54
AkihiroSuda
AkihiroSuda reviewed Dec 8, 2022
View reviewed changes
go.mod Outdated
require (
github.com/AdaLogics/go-fuzz-headers v0.0.0-20221007124625-37f5449ff7df // indirect
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20220912195655-e1f97a00006b // indirect
github.com/Microsoft/hcsshim v0.10.0-rc.1 // indirect
github.com/btcsuite/btcd v0.21.0-beta // indirect
// ↑The `github.com/btcsuite/btcd` line exists for the indirect dependency on `github.com/btcsuite/btcd/btcec` (secp256k1 elliptic curve cryptography library) via `github.com/ipfs/go-ipfs-http-client`.
// https://github.com/btcsuite/btcd/tree/master/btcec
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This note can be now dropped

Copy link
Contributor Author

@bsalunke bsalunke Dec 9, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AkihiroSuda Updated PR to address review comment. Thanks!

AkihiroSuda
AkihiroSuda reviewed Dec 8, 2022
View reviewed changes
go.mod Outdated
@@ -58,11 +58,16 @@ require (
gotest.tools/v3 v3.4.0
)

require (
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to create another require()

@AkihiroSuda AkihiroSuda added this to the v1.1.0 milestone Dec 8, 2022
@AkihiroSuda AkihiroSuda added the area/ipfs IPFS label Dec 8, 2022
@AkihiroSuda AkihiroSuda mentioned this pull request Dec 9, 2022
Merged
@AkihiroSuda
Copy link
Member

Could you squash the commits? Then LGTM

@bsalunke bsalunke force-pushed the upgrade_indirect_dependancy_module_to_fix_fp_CVE-2022-44797 branch from f405a3e to 0bfc67f Compare December 9, 2022 05:10
@AkihiroSuda
Copy link
Member

Thanks, but please sign the commit for DCO
https://github.com/apps/dco

(run git commit -a -s --amend, and make sure that the Signed-off-by: NAME <EMAIL> line with your real name is included in the commit message)

@bsalunke
Upgrade indirect dependancy go-libp2p-core to v0.20.1
e2dbab5 
Signed-off-by: Balasaheb Salunke <bg.salunke09@gmail.com>
@bsalunke bsalunke force-pushed the upgrade_indirect_dependancy_module_to_fix_fp_CVE-2022-44797 branch from 0bfc67f to e2dbab5 Compare December 9, 2022 05:17
AkihiroSuda
AkihiroSuda approved these changes Dec 9, 2022
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@bsalunke
Copy link
Contributor Author

bsalunke commented Dec 9, 2022

@AkihiroSuda Thank you for help. I see it's marked for v1.1.0. Any rough timeline for v1.1.0 release?

@AkihiroSuda
Copy link
Member

@AkihiroSuda Thank you for help. I see it's marked for v1.1.0. Any rough timeline for v1.1.0 release?

As soon as containerd/accelerated-container-image#155 (comment) is addressed

@AkihiroSuda AkihiroSuda merged commit c2c648c into containerd:main Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
area/ipfs IPFS
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@bsalunke @AkihiroSuda