From 2e792517a121743eaa114b0557e10ef9a0a47bb0 Mon Sep 17 00:00:00 2001 From: longwan Date: Tue, 7 Jan 2025 17:22:19 +0000 Subject: [PATCH 01/12] clear trivy --- .trivyignore | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/.trivyignore b/.trivyignore index 99ac42a50..e69de29bb 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,23 +0,0 @@ -#telegraf CRITICAL -CVE-2024-41110 - -#telegraf MEDIUM -CVE-2024-35255 -CVE-2024-28110 -CVE-2024-24557 -CVE-2024-29018 -CVE-2024-27304 -GHSA-7jwh-3vrq-q3m8 -CVE-2024-27289 -CVE-2024-27304 -CVE-2023-45288 -CVE-2024-24786 -CVE-2024-24791 - -#cbl-mariner -CVE-2024-5535 - -#stdlib -CVE-2024-34156 -CVE-2024-34155 -CVE-2024-34158 From 9baaa0396e77283437b6c50a8a3ab9e1e253c30c Mon Sep 17 00:00:00 2001 From: longwan Date: Tue, 7 Jan 2025 21:54:16 +0000 Subject: [PATCH 02/12] update uninstall rexml version --- kubernetes/linux/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index 0270897dd..29a90ce4c 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -45,7 +45,7 @@ mv /usr/lib/ruby/gems/3.1.0/specifications/webrick-1.8.1.gemspec /usr/lib/ruby/g gem uninstall time --version 0.2.0 gem uninstall uri --version 0.11.0 gem uninstall stringio --version 3.0.1 -gem uninstall rexml --version 3.2.5 +gem uninstall rexml --version 3.3.8 gem uninstall webrick --version 1.8.1 sudo tdnf install -y azure-mdsd-1.31.4 From 2a8362bf0e3fd6c61dd637a69471746943342d51 Mon Sep 17 00:00:00 2001 From: longwan Date: Tue, 7 Jan 2025 22:22:51 +0000 Subject: [PATCH 03/12] update --- kubernetes/linux/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index 29a90ce4c..0270897dd 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -45,7 +45,7 @@ mv /usr/lib/ruby/gems/3.1.0/specifications/webrick-1.8.1.gemspec /usr/lib/ruby/g gem uninstall time --version 0.2.0 gem uninstall uri --version 0.11.0 gem uninstall stringio --version 3.0.1 -gem uninstall rexml --version 3.3.8 +gem uninstall rexml --version 3.2.5 gem uninstall webrick --version 1.8.1 sudo tdnf install -y azure-mdsd-1.31.4 From 3f6b0664e70eb22f91c345eaa93d9563be0e7ea5 Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 8 Jan 2025 21:31:43 +0000 Subject: [PATCH 04/12] Update golang.org/x/net to v0.33.0 --- source/plugins/go/src/go.mod | 10 +++++----- source/plugins/go/src/go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/source/plugins/go/src/go.mod b/source/plugins/go/src/go.mod index 3b1c68510..09bc58e7a 100644 --- a/source/plugins/go/src/go.mod +++ b/source/plugins/go/src/go.mod @@ -39,11 +39,11 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/philhofer/fwd v1.1.2 // indirect - golang.org/x/net v0.26.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/oauth2 v0.19.0 // indirect - golang.org/x/sys v0.21.0 // indirect - golang.org/x/term v0.21.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.5.0 // indirect k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect @@ -55,7 +55,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect github.com/rogpeppe/go-internal v1.12.0 // indirect golang.org/x/mod v0.17.0 // indirect - golang.org/x/sync v0.7.0 // indirect + golang.org/x/sync v0.10.0 // indirect golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/source/plugins/go/src/go.sum b/source/plugins/go/src/go.sum index a59b113f6..70b8b22d4 100644 --- a/source/plugins/go/src/go.sum +++ b/source/plugins/go/src/go.sum @@ -113,8 +113,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg= golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -122,8 +122,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -131,15 +131,15 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= -golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From 5c16938ce0be118ff3e00782da9a3dca49f43acf Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 8 Jan 2025 22:23:26 +0000 Subject: [PATCH 05/12] update trivy --- .trivyignore | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.trivyignore b/.trivyignore index e69de29bb..46e9bbd5a 100644 --- a/.trivyignore +++ b/.trivyignore @@ -0,0 +1,25 @@ +#telegraf CRITICAL +CVE-2024-41110 +CVE-2024-45337 +CVE-2024-45338 + +#telegraf MEDIUM +CVE-2024-35255 +CVE-2024-28110 +CVE-2024-24557 +CVE-2024-29018 +CVE-2024-27304 +GHSA-7jwh-3vrq-q3m8 +CVE-2024-27289 +CVE-2024-27304 +CVE-2023-45288 +CVE-2024-24786 +CVE-2024-24791 + +#cbl-mariner +CVE-2024-5535 + +#stdlib +CVE-2024-34156 +CVE-2024-34155 +CVE-2024-34158 \ No newline at end of file From 56cb2f4d28942db381ff4ba2b5efed0403ed8a7f Mon Sep 17 00:00:00 2001 From: longwan Date: Thu, 9 Jan 2025 23:07:18 +0000 Subject: [PATCH 06/12] uninstall rexml --- kubernetes/windows/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/windows/Dockerfile b/kubernetes/windows/Dockerfile index 57668ec0b..9991e42bc 100644 --- a/kubernetes/windows/Dockerfile +++ b/kubernetes/windows/Dockerfile @@ -31,6 +31,7 @@ RUN refreshenv \ && gem install gyoku -v 1.3.1 \ && gem install ipaddress -v 0.8.3 \ && gem install jwt -v 2.7.1 \ +&& gem uninstall rexml || true \ && gem sources --clear-all # Remove gem cache and chocolatey From efd7a7f90e0c09c115d9b6915146381e1b8dda35 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 13 Jan 2025 17:24:35 +0000 Subject: [PATCH 07/12] update trivy --- .trivyignore | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.trivyignore b/.trivyignore index 46e9bbd5a..21e34a200 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,7 +1,6 @@ #telegraf CRITICAL CVE-2024-41110 CVE-2024-45337 -CVE-2024-45338 #telegraf MEDIUM CVE-2024-35255 @@ -21,5 +20,4 @@ CVE-2024-5535 #stdlib CVE-2024-34156 -CVE-2024-34155 -CVE-2024-34158 \ No newline at end of file +CVE-2024-34155 \ No newline at end of file From f7832cc47fa9c96dc51c0a343fb0d2b07af24c10 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 13 Jan 2025 17:38:56 +0000 Subject: [PATCH 08/12] update windows rexml --- kubernetes/windows/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/kubernetes/windows/Dockerfile b/kubernetes/windows/Dockerfile index 9991e42bc..57668ec0b 100644 --- a/kubernetes/windows/Dockerfile +++ b/kubernetes/windows/Dockerfile @@ -31,7 +31,6 @@ RUN refreshenv \ && gem install gyoku -v 1.3.1 \ && gem install ipaddress -v 0.8.3 \ && gem install jwt -v 2.7.1 \ -&& gem uninstall rexml || true \ && gem sources --clear-all # Remove gem cache and chocolatey From e8a3f8058ac7d889b43181397f30932fe5b9da88 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 13 Jan 2025 17:39:38 +0000 Subject: [PATCH 09/12] update --- .trivyignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.trivyignore b/.trivyignore index 21e34a200..8a45bbd27 100644 --- a/.trivyignore +++ b/.trivyignore @@ -20,4 +20,4 @@ CVE-2024-5535 #stdlib CVE-2024-34156 -CVE-2024-34155 \ No newline at end of file +CVE-2024-34155 From b64609b2a83bd72617a9df3ef85a60b7683a5786 Mon Sep 17 00:00:00 2001 From: longwan Date: Mon, 13 Jan 2025 17:45:35 +0000 Subject: [PATCH 10/12] update --- .trivyignore | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.trivyignore b/.trivyignore index 8a45bbd27..bc988617a 100644 --- a/.trivyignore +++ b/.trivyignore @@ -2,6 +2,9 @@ CVE-2024-41110 CVE-2024-45337 +#telegraf CRITICAL +CVE-2024-45338 + #telegraf MEDIUM CVE-2024-35255 CVE-2024-28110 @@ -13,11 +16,4 @@ CVE-2024-27289 CVE-2024-27304 CVE-2023-45288 CVE-2024-24786 -CVE-2024-24791 - -#cbl-mariner -CVE-2024-5535 -#stdlib -CVE-2024-34156 -CVE-2024-34155 From 323711c3610514920af07a04d7d11e657d116747 Mon Sep 17 00:00:00 2001 From: longwan Date: Wed, 15 Jan 2025 05:20:33 +0000 Subject: [PATCH 11/12] update ignore trigger new build --- .trivyignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.trivyignore b/.trivyignore index bc988617a..73cb0756b 100644 --- a/.trivyignore +++ b/.trivyignore @@ -2,7 +2,7 @@ CVE-2024-41110 CVE-2024-45337 -#telegraf CRITICAL +#telegraf HIGH CVE-2024-45338 #telegraf MEDIUM From 41ed95ff9588e41a98877cff3e1df1b453c1e0a0 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Wed, 15 Jan 2025 09:13:52 -0800 Subject: [PATCH 12/12] update inventory and perf dependency --- source/plugins/go/input/go.mod | 4 ++-- source/plugins/go/input/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/source/plugins/go/input/go.mod b/source/plugins/go/input/go.mod index 87ca25dfd..68de6b2f2 100644 --- a/source/plugins/go/input/go.mod +++ b/source/plugins/go/input/go.mod @@ -16,8 +16,8 @@ require ( github.com/google/uuid v1.6.0 // indirect github.com/ugorji/go/codec v1.2.12 // indirect golang.org/x/mod v0.17.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.21.0 // indirect + golang.org/x/sync v0.10.0 // indirect + golang.org/x/sys v0.28.0 // indirect golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect ) diff --git a/source/plugins/go/input/go.sum b/source/plugins/go/input/go.sum index b482e3a71..649d90366 100644 --- a/source/plugins/go/input/go.sum +++ b/source/plugins/go/input/go.sum @@ -95,12 +95,12 @@ golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=