Skip to content

CVE scan fixes 20250515 #158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dewey merged 8 commits into from
Jun 12, 2025
Merged

CVE scan fixes 20250515 #158

dewey merged 8 commits into from
Jun 12, 2025

Conversation

@wanix
Copy link
Contributor

@wanix wanix commented May 15, 2025
edited
Loading

fix CVE scans:

* CVE-2025-22872
* CVE-2025-1386
* CVE-2025-46327

Add flags to docker build to reduce image size + update Alpine image

Add default exec name to gitignore (from Makefile)

VERSION to v0.6.1

Update go libs clickhouse-go, gosnowflake, x/net to fix CVE
GO 1.21 to 1.23 upgrade due to clickhouse-go dependancy.

Scans are now OK with image wanix/sql_exporter:v0.6.1

job.go file was modified by "Make format"

Change github workflow to be GO 1.23 compliant

vendors changes are from

go get
go mod tidy
go mod vendor

@wanix wanix mentioned this pull request May 16, 2025
Open
@wanix
Copy link
Contributor Author

wanix commented May 19, 2025

Not sure 0.6.1 is a correct version now I had to upgrade GO version. Maybe 0.7 is better. Please let me know so I can change VERSION file accordingly.

@wanix
Copy link
Contributor Author

wanix commented Jun 2, 2025

@dewey May you have a look on this one please ? 🙏

@dewey
Copy link
Member

dewey commented Jun 4, 2025

Will take a look this week 👀

@wanix
Copy link
Contributor Author

wanix commented Jun 10, 2025

Hi @dewey , I changed the VERSION file for 0.7, the changes are too consequent for a simple patch in semantic versioning.

dewey
dewey requested changes Jun 10, 2025
View reviewed changes
Copy link
Member

@dewey dewey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, let's do the version upgrade and then we can merge it.

@wanix
Copy link
Contributor Author

wanix commented Jun 11, 2025
edited
Loading

Following review:
Update GO to 1.24

go get
go mod tidy
go mod vendor

Update staticcheck for GO 1.24

Security scans OK with temp image wanix/sql_exporter:v0.7-go1.24

@wanix wanix requested a review from dewey June 11, 2025 14:50
@dewey dewey merged commit be2aea6 into justwatchcom:master Jun 12, 2025
1 check passed
@dewey
Copy link
Member

dewey commented Jun 12, 2025

Looks good to me, thanks!

@wanix
Copy link
Contributor Author

wanix commented Jun 13, 2025

Thanks @dewey , can you publish the corresponding Docker image please ?

@dewey
Copy link
Member

dewey commented Jun 13, 2025

I knew there was something missing, just triggered it. Should be done any moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dewey dewey Awaiting requested review from dewey

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wanix @dewey