Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: resolve protoc-gen-go-grpc vulnerability #3267

Merged
merged 4 commits into from Apr 26, 2024
Merged

chore: resolve protoc-gen-go-grpc vulnerability #3267

merged 4 commits into from Apr 26, 2024

Conversation

shahar-h
Copy link
Contributor

What this PR does / why we need it:
Use a temporary replace directive to resolve google.golang.org/protobuf vulnerability in google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0.
This will be removed once a new release is available(see related issue).

image

Which issue(s) this PR fixes:

Fixes #

@shahar-h shahar-h requested a review from a team as a code owner April 24, 2024 19:52
@shahar-h
chore: resolve protoc-gen-go-grpc vulnerability
6fa586e 
Signed-off-by: Shahar Harari <shahar.harari@sap.com>
arkodg
arkodg reviewed Apr 24, 2024
View reviewed changes
tools/src/protoc-gen-go-grpc/go.mod Outdated
@@ -5,3 +5,8 @@ go 1.22.2
require google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0

require google.golang.org/protobuf v1.28.1 // indirect

// Resolve GHSA-8r3f-844c-mc37.
// This is a temporary fix until the next release of google.golang.org/grpc/cmd/protoc-gen-go-grpc.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't a manual go get fix this ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, once a new google.golang.org/grpc/cmd/protoc-gen-go-grpc version is available.

@shahar-h
Copy link
Contributor Author

/retest

1 similar comment
@shahar-h
Copy link
Contributor Author

/retest

@arkodg
Copy link
Contributor

arkodg commented Apr 24, 2024

here's what I was suggesting

$ cd tools/src/protoc-gen-go-grpc
$ go get google.golang.org/protobuf@v1.33.0
go: upgraded google.golang.org/protobuf v1.28.1 => v1.33.0
$ go mod tidy
go: downloading github.com/google/go-cmp v0.5.5
go: downloading golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
$ git diff
diff --git a/tools/src/protoc-gen-go-grpc/go.mod b/tools/src/protoc-gen-go-grpc/go.mod
index 77ab0f34..df13e99f 100644
--- a/tools/src/protoc-gen-go-grpc/go.mod
+++ b/tools/src/protoc-gen-go-grpc/go.mod
@@ -4,4 +4,4 @@ go 1.22.2
 
 require google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0
 
-require google.golang.org/protobuf v1.28.1 // indirect
+require google.golang.org/protobuf v1.33.0 // indirect
diff --git a/tools/src/protoc-gen-go-grpc/go.sum b/tools/src/protoc-gen-go-grpc/go.sum
index 8d750cf2..310db113 100644
--- a/tools/src/protoc-gen-go-grpc/go.sum
+++ b/tools/src/protoc-gen-go-grpc/go.sum
@@ -1,10 +1,8 @@
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 h1:rNBFJjBCOgVr9pWD7rs/knKL4FRTKgpZmsRfV214zcA=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0/go.mod h1:Dk1tviKTvMCz5tvh7t+fh94dhmQVHuCt2OzJB3CTW9Y=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=

@shahar-h
Copy link
Contributor Author

go get google.golang.org/protobuf@v1.33.0

This would also work but IMO using a replace directive is cleaner and more clear as you can see the original version and add a comment above the version override.

@shahar-h
Copy link
Contributor Author

/retest

@arkodg
Copy link
Contributor

arkodg commented Apr 24, 2024

go get google.golang.org/protobuf@v1.33.0

This would also work but IMO using a replace directive is cleaner and more clear as you can see the original version and add a comment above the version override.

It also introduces tech debt of reverting the replace in the future

@arkodg
Copy link
Contributor

arkodg commented Apr 24, 2024

here's what dependabot raised #3270

@shahar-h
chore: resolve protoc-gen-go-grpc vulnerability
afb43da 
Signed-off-by: Shahar Harari <shahar.harari@sap.com>
@shahar-h
Copy link
Contributor Author

shahar-h commented Apr 25, 2024
edited

Fixed, you can merge either this one or #3270

@shahar-h
Copy link
Contributor Author

/retest

2 similar comments
@shahar-h
Copy link
Contributor Author

/retest

@shahar-h
Copy link
Contributor Author

/retest

@arkodg arkodg requested review from a team April 25, 2024 19:00
@zirain zirain merged commit 6407e82 into envoyproxy:main Apr 26, 2024
20 checks passed
@shahar-h shahar-h deleted the GHSA-8r3f-844c-mc37 branch April 26, 2024 04:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zirain zirain zirain approved these changes

@arkodg arkodg arkodg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@shahar-h @arkodg @zirain