Skip to content

Security update kube-lineage to go version 1.22.4 and removed cve's#14

Open
Avi-Robusta wants to merge 51 commits intotohjustin:masterfrom
robusta-dev:master
Open

Security update kube-lineage to go version 1.22.4 and removed cve's#14
Avi-Robusta wants to merge 51 commits intotohjustin:masterfrom
robusta-dev:master

Conversation

@Avi-Robusta
Copy link

@Avi-Robusta Avi-Robusta commented Jul 7, 2024
edited
Loading

I scanned it in my cluster and a lot of cves came up in it

I removed them and also added it to build standalone binaries in the git action for amd and arm

I have my own fork if anyone needs it till its merged:
https://github.com/Avi-Robusta/kube-lineage/releases/tag/v2.0.2

dependabot bot and others added 27 commits July 2, 2024 06:40
@dependabot
chore(deps): Bump the go_modules group across 1 directory with 13 upd…
b7c7539 
…ates

Bumps the go_modules group with 1 update in the / directory: [helm.sh/helm/v3](https://github.com/helm/helm).


Updates `helm.sh/helm/v3` from 3.8.0 to 3.14.3
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](helm/helm@v3.8.0...v3.14.3)

Updates `github.com/containerd/containerd` from 1.5.9 to 1.7.12
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.5.9...v1.7.12)

Updates `github.com/cyphar/filepath-securejoin` from 0.2.3 to 0.2.4
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Commits](cyphar/filepath-securejoin@v0.2.3...v0.2.4)

Updates `github.com/docker/distribution` from 2.7.1+incompatible to 2.8.2+incompatible
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](distribution/distribution@v2.7.1...v2.8.2)

Updates `github.com/docker/docker` from 20.10.12+incompatible to 24.0.7+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v20.10.12...v24.0.7)

Updates `github.com/prometheus/client_golang` from 1.11.0 to 1.16.0
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](prometheus/client_golang@v1.11.0...v1.16.0)

Updates `golang.org/x/crypto` from 0.0.0-20211117183948-ae814b36b871 to 0.17.0
- [Commits](https://github.com/golang/crypto/commits/v0.17.0)

Updates `golang.org/x/net` from 0.0.0-20220107192237-5cfca573fb4d to 0.17.0
- [Commits](https://github.com/golang/net/commits/v0.17.0)

Updates `golang.org/x/sys` from 0.0.0-20211216021012-1d35b9e2eb4e to 0.15.0
- [Commits](https://github.com/golang/sys/commits/v0.15.0)

Updates `golang.org/x/text` from 0.3.7 to 0.14.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.3.7...v0.14.0)

Updates `google.golang.org/grpc` from 1.43.0 to 1.58.3
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.43.0...v1.58.3)

Updates `google.golang.org/protobuf` from 1.27.1 to 1.31.0

Updates `gopkg.in/yaml.v3` from 3.0.0-20210107192922-496545a6307b to 3.0.1

---
updated-dependencies:
- dependency-name: helm.sh/helm/v3
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/containerd/containerd
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/docker/distribution
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/docker/docker
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/prometheus/client_golang
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/sys
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/text
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: google.golang.org/grpc
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: gopkg.in/yaml.v3
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@Avi-Robusta
Merge pull request #7 from Avi-Robusta/dependabot/go_modules/go_modul…
4f66624 
…es-de2fb0d841

chore(deps): Bump the go_modules group across 1 directory with 13 updates
@Avi-Robusta
fix release action
00ecb4c
@Avi-Robusta
Merge branch 'master' of https://github.com/Avi-Robusta/kube-lineage
bb13050
@Avi-Robusta
fix github actions
d00e25e
@Avi-Robusta
working version upgraded
6c8a83f
@tohjustin @Avi-Robusta
Merge pull request #7 from ytsarev/bump-qps
51af137 
feat: Increase client-go QPS to handle clusters with large amount of CRDs
@Avi-Robusta
Merge pull request #8 from Avi-Robusta/working_version
b301604 
Working version
@Avi-Robusta
fixing git actions
ebd7d73
@Avi-Robusta
fixing version
773e372
@Avi-Robusta
fixing build
bdbcd91
@Avi-Robusta
fixing build
7d86f63
@Avi-Robusta
build v2
93782d1
@Avi-Robusta
updated build
0f56888
@Avi-Robusta
build test
578ae8c
@Avi-Robusta
build fix
9c36990
@Avi-Robusta
build fix
a10fedf
@Avi-Robusta
only build for linux now
c34aab1
@Avi-Robusta
updating build
bad83a0
@Avi-Robusta
fix release
530f480
@Avi-Robusta
build fix
c5013f9
@Avi-Robusta
fix credentials
016c014
@Avi-Robusta
Merge pull request #9 from Avi-Robusta/working_version
581f0fb 
Working version
@Avi-Robusta
Merge pull request #10 from Avi-Robusta/working_version
4d8459f 
Working version
@Avi-Robusta
fixing arm build
ba011aa 
Working version
@Avi-Robusta
update binaries
eebd8a9
@Avi-Robusta
removed un-needed code
f52a447
@Avi-Robusta Avi-Robusta mentioned this pull request Jul 7, 2024
Open
@Avi-Robusta Avi-Robusta changed the title Updated kube-lineage to go version 1.22.4 and removed cve's Security update kube-lineage to go version 1.22.4 and removed cve's Jul 7, 2024
@Avi-Robusta Avi-Robusta mentioned this pull request Jul 7, 2024
Merged
Avi-Robusta added a commit to HolmesGPT/holmesgpt that referenced this pull request Jul 14, 2024
@Avi-Robusta
[MAIN-1792] Security update for holmes (#83)
f47a5bb 
We might want to do something different with the binaries for
kube-lineage
tested in arm (locally) and amd
Notes:
- created a version of kube-lineage without go cve's
- Removed krew since it was no longer needed with our kubelineage binary
- removed gcloud and aws cli due to cves, we dont need them in cluster
(I made a seperate docker image for local running)
- updated packages urllib3 and certifi due to cves

PR for kube lineage
tohjustin/kube-lineage#14
my Kube lineage fork:
https://github.com/Avi-Robusta/kube-lineage
Avi-Robusta and others added 18 commits September 10, 2024 15:14
@Avi-Robusta
fixing cves
6fbece7
@Avi-Robusta
Merge pull request #12 from Avi-Robusta/docker_cve_fix
ab3bba2 
fixing cves
@Avi-Robusta
patch crypto
c653974
@Avi-Robusta
Merge pull request #13 from Avi-Robusta/patch-crypto
ad8cd74 
updated krypto-cve
@Avi-Robusta
fixing release workflow
11a94c8
@Avi-Robusta
fixing cache issue
1bd4baa
@Avi-Robusta
network patch
9c6458d
@Avi-Robusta
Merge pull request #14 from Avi-Robusta/patch-net
a27bea7 
network patch
@itisallgood
Updated packages
3b0002b
@itisallgood
Updated actions/cache
a1da41e
@RoiGlinik
Merge pull request #15 from robusta-dev/updated-crypto-packages
4e11e1b 
Updated packages
@RoiGlinik
update helm
57c1c88
@Avi-Robusta
Merge pull request #16 from robusta-dev/ROB-1413-fix-cve
6240d00 
ROB-1413 fix cve
@Avi-Robusta
bumping dependencies and tested
0cd92f9
@Avi-Robusta
cve-patch
52f27aa
@Avi-Robusta
Merge pull request #17 from robusta-dev/cve-fix-helm
fed660f 
CVE-2025-53547 fix
@Avi-Robusta
fixing helm version
fc2a185
@Avi-Robusta
Merge pull request #18 from robusta-dev/cve-fix-helm
02a2668 
[CVE-2025-53547] fixing helm version cve
@tohjustin
Copy link
Owner

tohjustin commented Sep 25, 2025

Hi @Avi-Robusta, appreciate you for pushing all these changes & fixes upstream 🙏

The changes lgtm, shall I proceed to merge the PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Avi-Robusta @tohjustin @itisallgood @RoiGlinik @moshemorad @arikalon1