Skip to content
This repository was archived by the owner on Sep 30, 2024. It is now read-only.

Fix vulnerabilities in jaeger and opentelemetry-collector images#54000

Merged
willdollman merged 12 commits into
mainfrom
wolfi/will/update-jaeger-otelcol
Jun 23, 2023
Merged

Fix vulnerabilities in jaeger and opentelemetry-collector images#54000
willdollman merged 12 commits into
mainfrom
wolfi/will/update-jaeger-otelcol

Conversation

@willdollman

@willdollman willdollman commented Jun 22, 2023
edited
Loading

Copy link
Copy Markdown
Contributor

Update the jaeger and opentelemetry-collector images, and associated opentelemetry-collector go modules to remove CVE-2022-41723.

Test plan

Successful trace locally using update otelcol container + jaeger 1.45.0:

image

@cla-bot cla-bot Bot added the cla-signed label Jun 22, 2023
bobheadxi
bobheadxi reviewed Jun 23, 2023
View reviewed changes
Comment thread wolfi-packages/opentelemetry-collector.yaml Outdated
bobheadxi
bobheadxi approved these changes Jun 23, 2023
View reviewed changes

@bobheadxi bobheadxi left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice, one step closer to latest 😆 Thanks for doing this!

@bobheadxi

bobheadxi commented Jun 23, 2023

Copy link
Copy Markdown
Member

Should add to changelog as well

willdollman and others added 11 commits June 23, 2023 20:43
@willdollman
Update to jaeger 1.45
c2ea384 
The latest version is 1.46, but this introduces a breaking change which we're avoiding this close to a release.
@willdollman
Update opentelemetry-collector package + go modules
8e53a52 
This is the minimum possible update that fixes all vulns in the otelcol image

* go mod edit -require go.opentelemetry.io/collector@v0.73.0
* go mod tidy
* bazel run //:gazelle-update-repos
@willdollman
Bump jaeger + otelcol base images for rebuild
e840ef5
@willdollman
Update github.com/XSAM/otelsql to v0.20.0
4899808
@willdollman
bazel configure
f9b9693
@willdollman
Bump opentelemetry-collector to 0.74.0
e0039f1
@willdollman
Bump otelcol to 0.75.0
9de0219
@jhchabran @willdollman
bzl: fix backcompat buildfiles breakage (#54047)
b9cea2e 
OTEL stuff moved packages around, which messed our ability to build old
code. This is happening because we're building the old code with our new
`deps.bzl` (there isn't really an easy way around that for now).

## Test plan

<!-- All pull requests REQUIRE a test plan:
https://docs.sourcegraph.com/dev/background-information/testing_principles
-->

CI, backcompat test passed.
@willdollman
Bump package to 0.75.0 as well
5dc07ab
@willdollman
Update base images
91d247e
@willdollman
Update jaeger in sg.config.yaml
9bcbe51
@willdollman willdollman force-pushed the wolfi/will/update-jaeger-otelcol branch from 6350508 to 9bcbe51 Compare June 23, 2023 20:18
@willdollman willdollman merged commit d05fbc9 into main Jun 23, 2023
@willdollman willdollman deleted the wolfi/will/update-jaeger-otelcol branch June 23, 2023 21:08
@github-actions

github-actions Bot commented Jun 23, 2023

Copy link
Copy Markdown
Contributor

The backport to 5.1 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-5.1 5.1
# Navigate to the new working tree
cd .worktrees/backport-5.1
# Create a new branch
git switch --create backport-54000-to-5.1
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d05fbc97877a30adb80eb66498c282d86bf00e43
# Push it to GitHub
git push --set-upstream origin backport-54000-to-5.1
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-5.1

Then, create a pull request where the base branch is 5.1 and the compare/head branch is backport-54000-to-5.1.

@github-actions github-actions Bot added backports failed-backport-to-5.1 release-blocker Prevents us from releasing: https://about.sourcegraph.com/handbook/engineering/releases labels Jun 23, 2023
willdollman added a commit that referenced this pull request Jun 23, 2023
@willdollman @jhchabran
Fix vulnerabilities in jaeger and opentelemetry-collector images (#54000
129a2c2 
)

Update the jaeger and opentelemetry-collector images, and associated
opentelemetry-collector go modules to remove CVE-2022-41723.

<!-- All pull requests REQUIRE a test plan:
https://docs.sourcegraph.com/dev/background-information/testing_principles
-->

- [x] Green `wolfi/` CI
https://buildkite.com/sourcegraph/sourcegraph/builds/230378
- [x] Green main-dry-run
https://buildkite.com/sourcegraph/sourcegraph/builds/230388
- [x] Manually inspecting base images from wolfi CI
- [x] Test tracing by following
https://docs.sourcegraph.com/dev/how-to/opentelemetry_local_dev

Successful trace locally using update otelcol container + jaeger 1.45.0:

![image](https://github.com/sourcegraph/sourcegraph/assets/1323081/41005a5c-8b34-40b8-9e9d-f5601788b0fa)

---------

Co-authored-by: Jean-Hadrien Chabran <jean-hadrien.chabran@sourcegraph.com>
(cherry picked from commit d05fbc9)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@bobheadxi bobheadxi bobheadxi approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backports cla-signed release-blocker Prevents us from releasing: https://about.sourcegraph.com/handbook/engineering/releases

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@willdollman @bobheadxi @jhchabran