Hi, This is Raj from Red Hat, as you are
# spicedbr
rajrh
07/02/2024, 1:19 PMHi, This is Raj from Red Hat, as you are aware we are running spiceDB in some high security envs. Recently, we found an issue (CVE) with the spiceDB operator image. Details in the thread below
rajrh
07/02/2024, 1:20 PMNAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 0.46.0 go-module GHSA-8pgv-569h-w5rw High
rajrh
07/02/2024, 1:20 PMrajrh
07/02/2024, 1:21 PMWe tried to fix this ourselves, (in our fork for openshift) - but we ran into nested dependencies cause of the custom replacement of the K8s client (in go mod).
rajrh
07/02/2024, 1:22 PMWe see that now there is an open PR: https://github.com/authzed/spicedb-operator/pull/171 that addressed removal of the replacement.
rajrh
07/02/2024, 1:22 PMShould we raise an issue for this?
rajrh
07/02/2024, 1:23 PMWhat is the typical expected cadence for authzed to patch / update deps with vulnerabilities?
v
vroldanbet
07/02/2024, 1:32 PMcc @ecordell
e
ecordell
07/02/2024, 1:34 PMHi, we'll get that fixed asap. Thanks for bringing it up.
I can fix the client-go fork, but if I can find some time to get back to it, https://github.com/authzed/spicedb-operator/pull/171 will let us drop the fork entirely. (ah - missed that you pointed that out already, sorry)
r
rajrh
07/02/2024, 1:37 PMno worries, glad to hear that great stuff, I noticed that the dependabot scanning/running cadence in operator is once a month, so is there a monthly release cadence of the operator? or ?
e
ecordell
07/02/2024, 1:41 PMthere's not a standard release cadence, we usually release when there are new spicedb releases to pull in which happens ~1-2/mo
4 Views