chore(deps): bump golang.org/x/oauth2 from 0.25.0 to 0.27.0 - resolve CVE-2025-22868#2480
Merged
simar7 merged 1 commit intoaquasecurity:mainfrom Apr 4, 2025
Merged
Conversation
|
|
Contributor
Author
afdesk
approved these changes
Mar 24, 2025
Contributor
|
@rgoltz thanks for your contribution and ping ) |
Contributor
Author
|
@simar7 - Could you please check/merge this PR to get rid of this vulnerable version (at least in the next release)? |
Hacks4Snacks
referenced
this pull request
in Hacks4Snacks/trivy-operator-broken
May 6, 2025
* test: improve integration tests (#2500) * test: improve integration tests * chore: improve env variables check * chore: prepare and load images for tests * chore(ci): add logining to docker registry * chore: remove docker auth * chore: emits more output including GinkgoWriter contents. * chore: use WP 6.1 instead of 5 * chore: use WP 6.7 * build(deps): bump github.com/containerd/containerd/v2 (#2499) * chore(deps): bump golang.org/x/oauth2 to 0.27.0 to resolve CVE-2025-22868 (#2480) * chore(deps): Bump `trivy-*` deps (#2507) * chore(deps): Bump trivy-* deps * fix signature * update checks * cleanup returns * docs: change docs about ttl for scanned reports (#2503) * docs: change docs about ttl for scanned reports Signed-off-by: Dmitry Ponomaryov <[email protected]> * fix operator.scannerReportTTL Signed-off-by: Dmitry Ponomaryov <[email protected]> --------- Signed-off-by: Dmitry Ponomaryov <[email protected]> * build(deps): bump the k8s group across 1 directory with 2 updates (#2512) Bumps the k8s group with 2 updates in the / directory: [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) and [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime). Updates `k8s.io/apiextensions-apiserver` from 0.32.2 to 0.32.3 - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](kubernetes/apiextensions-apiserver@v0.32.2...v0.32.3) Updates `sigs.k8s.io/controller-runtime` from 0.20.2 to 0.20.4 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.20.2...v0.20.4) --- updated-dependencies: - dependency-name: k8s.io/apiextensions-apiserver dependency-version: 0.32.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.20.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump the common group across 1 directory with 6 updates (#2513) Bumps the common group with 4 updates in the / directory: [github.com/aquasecurity/trivy-kubernetes](https://github.com/aquasecurity/trivy-kubernetes), [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo), [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) and [golang.org/x/net](https://github.com/golang/net). Updates `github.com/aquasecurity/trivy-kubernetes` from 0.8.0 to 0.8.1 - [Release notes](https://github.com/aquasecurity/trivy-kubernetes/releases) - [Changelog](https://github.com/aquasecurity/trivy-kubernetes/blob/main/.goreleaser.yaml) - [Commits](aquasecurity/trivy-kubernetes@v0.8.0...v0.8.1) Updates `github.com/onsi/ginkgo/v2` from 2.22.2 to 2.23.4 - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.22.2...v2.23.4) Updates `github.com/onsi/gomega` from 1.36.2 to 1.36.3 - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.36.2...v1.36.3) Updates `github.com/prometheus/client_golang` from 1.21.0 to 1.21.1 - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.21.0...v1.21.1) Updates `golang.org/x/net` from 0.37.0 to 0.39.0 - [Commits](golang/net@v0.37.0...v0.39.0) Updates `golang.org/x/text` from 0.23.0 to 0.24.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.23.0...v0.24.0) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy-kubernetes dependency-version: 0.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: common - dependency-name: github.com/onsi/ginkgo/v2 dependency-version: 2.23.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: common - dependency-name: github.com/onsi/gomega dependency-version: 1.36.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: common - dependency-name: github.com/prometheus/client_golang dependency-version: 1.21.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: common - dependency-name: golang.org/x/net dependency-version: 0.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: common - dependency-name: golang.org/x/text dependency-version: 0.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: common ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: skip excluded images in client server mode (#2516) trivy-operator does not check excluded images in client server mode. This change fixes this behavior. * fix(misconfig): ordering policies for hash (#2520) * fix(misconfig): ordering policies for hash * refactor: Move sorting inside of loader * use slices.Sort * fix lint * chore: skip the policy size check * chore: skip the test * remove an error return for empty policy slice --------- Co-authored-by: Simar <[email protected]> * chore: improve cache for policies (#2526) * chore: use cache for hash calculations * chore: update comments * test: add benchmarks for cache calculation * chore: fix linter error * chore: remove unneeded mutex * refactor: improve benchmarks for hash calculation * fix tests * fix: golangci-lint formatting --------- Co-authored-by: simar7 <[email protected]> Co-authored-by: Simar <[email protected]> * chore(deps): bump up Trivy versions to v0.62.0 (#2528) * chore: bump up Go version to 1.24.2 * chore: bump up Trivy version * chore(deps): bump up Trivy to the latest version * chore: bump up Trivy to v0.62.0 * release: prepare v0.26.0 (#2535) * release: prepare v0.26.0 * docs: update helm docs * chore: update Trivy version in the default config * docs: bump up Trivy version in the samples (#2538) --------- Co-authored-by: afdesk <[email protected]> * chore(ci): Free up space to build (#2539) * chore(ci): Free up additional space (#2543) * chore(ci): Free up additional space * test: test using build step * chore(ci): Clear up space prior to build --------- Signed-off-by: Dmitry Ponomaryov <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: afdesk <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Goltz <[email protected]> Co-authored-by: simar7 <[email protected]> Co-authored-by: Dmitry Ponomaryov <[email protected]> Co-authored-by: Pascal Hofmann <[email protected]> Co-authored-by: Simar <[email protected]> Co-authored-by: Mark Dalton Gray <[email protected]>
afdesk
pushed a commit
to maltemorgenstern/trivy-operator
that referenced
this pull request
Jun 2, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Let's keep the AquaSec Trivy-Operator dependency
golang.org/x/oauth2up-to-date. The current latest Docker-Image tag0.25.0using an older version of oauth2 which could be affected by golang/go#71490 (https://nvd.nist.gov/vuln/detail/CVE-2025-22868). So, let's upgrade oauth2 from0.25.0to0.27.0for AquaSec Trivy-Operator.Having this said, I ran:
Note for Reviewers
Basically, this dependency update just aim to silence some (SBOM-based) scanners, while checking
aquasec/trivy-operator:0.25.0Docker-Image.I didn't create a linked issue here in the repo yet - If this would be better/required to have an issue, I'm happy to create one and link this here with Close/Fixed reference.