cloud-logging-data-source-plugin
cloud-logging-data-source-plugin copied to clipboard
GoogleCloudPlatform
Bumping Golang to 1.22 and all the dependencies to fix CVE-2024-24790
Introduction
Hello there, I am Luis Redondo, I work as a Data Engineer in Cabify and we are heavy users of Google Cloud Platform in "all things Data" and also use Prometheus + Grafana for our observability stack.
Problem
We, as a company, host our own Grafana instances, and we wanted to install the cloud-logging-data-source-plugin to show logs of a series of running services. We have static checks for Security violations, and adding the plugin started to throw these errors:
var/lib/grafana/plugins/googlecloud-logging-datasource/gpx_gcp-logging_darwin_amd64 (gobinary)
==============================================================================================
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.22.1 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
var/lib/grafana/plugins/googlecloud-logging-datasource/gpx_gcp-logging_darwin_arm64 (gobinary)
==============================================================================================
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.22.1 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
var/lib/grafana/plugins/googlecloud-logging-datasource/gpx_gcp-logging_linux_amd64 (gobinary)
=============================================================================================
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.22.1 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
var/lib/grafana/plugins/googlecloud-logging-datasource/gpx_gcp-logging_linux_arm (gobinary)
===========================================================================================
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.22.1 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
var/lib/grafana/plugins/googlecloud-logging-datasource/gpx_gcp-logging_linux_arm64 (gobinary)
=============================================================================================
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.22.1 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
var/lib/grafana/plugins/googlecloud-logging-datasource/gpx_gcp-logging_windows_amd64.exe (gobinary)
===================================================================================================
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.22.1 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
It is basically repeated occurrences of the CVE-2024-24790.
Proposed solution
Since the vulnerability seems to have been fixed starting with Golang 1.22.4, I've updated the Golang version and all the Go dependencies.
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
View this failed invocation of the CLA check for more information.
For the most up to date status, view the checks section at the bottom of the pull request.
![google-cla[bot] avatar](https://avatars.githubusercontent.com/in/42202?v=4 "Published by a pub.dev verified publisher"){kind=small}
👋🏻 hey @xiangshen-dk, nice to meet you, I am mentioning you as manager of the latest releases of the library.
Can you take a look at this PR?
Thanks a lot!
@xiangshen-dk I've introduced more changes in the PR, since I wanted to try to generate a build of the plugin to test it in our private Grafana instance. To do this, I've had to bump several node libraries, the CI environment and regenerate the yarn.lock file
Sorry for the delayed response. I have updated the dependencies based some other PRs. I will close this one. Anyhow, appreciate your support!
