alloy icon indicating copy to clipboard operation
alloy copied to clipboard

Published 20 hours ago verified publisher icon grafana

CVE-2021-36156 in github.com/grafana/loki

Open captncraig opened this issue 2 years ago • 5 comments
trafficstars

  • [ ] https://github.com/grafana/agent/security/code-scanning/20

This issue is a false positive given by trivy and other scanners due to the versioning scheme used by loki, that is not compatible with go modules.

Package: github.com/grafana/loki Installed Version: v1.6.2-0.20230414223651-220cbdd4f172 Vulnerability CVE-2021-36156 Severity: MEDIUM Fixed Version: 2.3.0 Link: CVE-2021-36156

The versioning there is based on loki's release versioning. This is not compatible with go modules, or the trivy scanner. This has been discussed at length in the loki repo.

Trivy identifies us as including loki version v1.6.2-0.20230414223651-220cbdd4f172, which is way newer than the version that fixes this vulnerability (which was never exploitable through Grafana Agent in any case).

The possible ways to resolve this warning would be:

  • Loki supports go module versioning (which they say they will only do when they reach a v3), and we move all imports to use new /v3 import paths.
  • We fork the client libraries just to provide versioning to trick the scanner.

Neither of those seem very worthwhile just to calm down a medium alert.

captncraig avatar Jul 17 '23 19:07 captncraig

This issue has not had any activity in the past 30 days, so the needs-attention label has been added to it. If the opened issue is a bug, check to see if a newer release fixed your issue. If it is no longer relevant, please feel free to close this issue. The needs-attention label signals to maintainers that something has fallen through the cracks. No action is needed by you; your issue will be kept open and you do not have to respond to this comment. The label will be removed the next time this job runs if there is new activity. Thank you for your contributions!

github-actions[bot] avatar Sep 09 '23 00:09 github-actions[bot]

Hi @captncraig and @rfratto this issue has some ETA to fix this? I'm questioning this, because we are facing the same issue here and the scanner team mention that the agent still vulnerable.

MaikiGirardi avatar Nov 30 '23 14:11 MaikiGirardi

There is no real ETA since this is a false positive. I can reiterate that Grafana Agent is not vulnerable to this, and is using a version of loki well beyond the vulnerability in question, and futhermore is only using a few client libraries from loki that were never vulnerable in the first place.

In the future we are working toward removing the dependency on the loki repo altogether, but that is some time out still.

captncraig avatar Nov 30 '23 14:11 captncraig

Thanks for the answer. I will address your answer to them.

MaikiGirardi avatar Nov 30 '23 17:11 MaikiGirardi

Hi there :wave:

On April 9, 2024, Grafana Labs announced Grafana Alloy, the spirital successor to Grafana Agent and the final form of Grafana Agent flow mode. As a result, Grafana Agent has been deprecated and will only be receiving bug and security fixes until its end-of-life around November 1, 2025.

To make things easier for maintainers, we're in the process of migrating all issues tagged variant/flow to the Grafana Alloy repository to have a single home for tracking issues. This issue is likely something we'll want to address in both Grafana Alloy and Grafana Agent, so just because it's being moved doesn't mean we won't address the issue in Grafana Agent :)

rfratto avatar Apr 11 '24 20:04 rfratto