-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixing CVE issues by bumping GO and Text versions. #173
Conversation
go.sum
Outdated
@@ -25,14 +25,11 @@ golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLL | |||
golang.org/x/net v0.0.0-20210716203947-853a461950ff h1:j2EK/QoxYNBsXI4R7fQkkRUk8y6wnOBI+6hgPdP/6Ds= |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file is auto-generated.
@@ -1,15 +1,23 @@ | |||
module github.com/aws/aws-xray-daemon |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed the GO and golang.org/x/text version manually. The other changes were auto-generated by go mod tidy. That includes the additional require block.
|
@@ -1,15 +1,23 @@ | |||
module github.com/aws/aws-xray-daemon | |||
|
|||
go 1.16 | |||
go 1.18 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In order to affect the version of Golang used in the Docker images, we need to update the version of the Golang base image in the Dockerfiles:
- https://github.com/aws/aws-xray-daemon/blob/master/Dockerfile.amazonlinux#L2
- https://github.com/aws/aws-xray-daemon/blob/master/Dockerfile#L2
And we should bump the version of Go we use in the CI/CD too probably, e.g.
go-version: '^1.16.6' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch. That was off my radar.
go.mod
Outdated
golang.org/x/net v0.0.0-20210716203947-853a461950ff | ||
golang.org/x/sys v0.0.0-20210423082822-04245dca01da |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we bump the net and sys packages to latest as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Updating the Go version
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm thanks!
Issue #, if available:
Internally tracked
Description of changes:
Bumping GO to version 1.18.
Bumping golang.org/x/text to v0.3.7
Bumping golang.org/x/net to v0.0.0-20220809184613-07c6da5e1ced
Bumping golang.org/x/sys to v0.0.0-20220808155132-1c4a2a72c664
Testing
Ran 'make test'.
Ran the code in Docker. Validated that the container was running.