gogs
runc go-module needs security updates
Gogs version
0.13.0+dev
Git version
Irrelevant
Operating system
Ubuntu Docker
Database
SQLite
Describe the bug
The used github.com/opencontainers/runc has two medium severity security issues.
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
github.com/opencontainers/runc v1.0.1 1.1.2 go-module GHSA-f3fp-gc8g-vw66 Medium
github.com/opencontainers/runc v1.0.1 1.0.3 go-module GHSA-v95c-p5hm-xq8f Medium
To reproduce
Run a grype scan on the container image
Expected behavior
Up-to-date dependencies.
Additional context
No response
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
I suggest updating to at least 1.1.2 or the current (as of now) 1.1.3: https://github.com/opencontainers/runc/releases
Thanks for the info!
But I don't see any usage of github.com/opencontainers/runc within this repository and its dependencies, how do I upgrade it?
I didn't check the code and don't know much about Golang but I see some mentions of runc here too: https://github.com/gogs/gogs/search?q=runc&type=issues
Maybe it's a dependency of one of your dependencies?
But I don't see any usage of github.com/opencontainers/runc within this repository and its dependencies
"within this repository and its dependencies" 😀
buy anyway, I think it's just a base image upgrade, previously did in https://github.com/gogs/gogs/issues/6674.
OK, just checked out building based on alpine:3.16 also doesn't fix the problem. I think that's because the patch from github.com/opencontainers/runc is just too new, downstream hasn't been able to catch up yet. I'll revisit this issue some time later see if there is a new patch version available for alpine:3.16.
Alpine released 3.17.1 without fixing this, and given this is not something the application (Gogs) cares, the risk is accepted and won't be actively looking for a fix anymore.