Skip to content

PMM-14577 Fix CVEs by bump versions. #343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JiriCtvrtka merged 1 commit into from
Dec 17, 2025
Merged

PMM-14577 Fix CVEs by bump versions. #343

JiriCtvrtka merged 1 commit into from
Dec 17, 2025

Conversation

@JiriCtvrtka
Copy link
Collaborator

@JiriCtvrtka JiriCtvrtka commented Dec 16, 2025
edited
Loading

I dont have permissions to push into Percona PMM Dump. So I created fork.

Ticket: https://perconadev.atlassian.net/browse/PMM-14577

PMM PR: percona/pmm#4848

This was referenced Dec 16, 2025
Merged
Closed
@JiriCtvrtka
Copy link
Collaborator Author

JiriCtvrtka commented Dec 16, 2025
edited
Loading

@ademidoff @idoqo @svetasmirnova

I don’t have permission to push to Percona PMM Dump, so I created a fork. It would be great if I could get the necessary permissions.

  1. I created another PR with only a comment (no code changes), but CI/tests is also failing. Could someone take a look?
    PR: Test #344

  2. Can someone check why Snyk is failing? I don’t have access to the output/logs.

@JiriCtvrtka JiriCtvrtka marked this pull request as ready for review December 16, 2025 09:46
@ademidoff
Copy link
Member

ademidoff commented Dec 16, 2025

@ademidoff @idoqo @svetasmirnova

I don’t have permission to push to Percona PMM Dump, so I created a fork. It would be great if I could get the necessary permissions.

  1. I created another PR with only a comment (no code changes), but CI/tests is also failing. Could someone take a look?
    PR: Test #344
  2. Can someone check why Snyk is failing? I don’t have access to the output/logs.

I don't have access to that namespace of Snyk either, the access is granted on a per-team basis.

idoqo
idoqo reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

@idoqo idoqo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JiriCtvrtka i think PR should be against pmm-3.4.1 branch since:

  • it's the branch on pmm-submodules.
  • we haven't tested/updated pmm to use changes from main branch (e.g encryption).

go.mod
github.com/grafana/grafana v0.0.0-20240319182150-590c657828b5
github.com/grafana/grafana-plugin-sdk-go v0.281.0
github.com/hashicorp/go-version v1.7.0
github.com/grafana/grafana v1.9.2-0.20240724181030-49c756d77483
Copy link
Contributor

@idoqo idoqo Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nicee, this resolves cves?

Copy link
Collaborator Author

@JiriCtvrtka JiriCtvrtka Dec 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is latest one I was able to find and it is working. One mentioned in CVE report: 1.9.2-0.20250521205822-0ba0b99665a9 is not existing for me. So I am going to check report if this one is fine.

go: github.com/grafana/[email protected]: invalid version: unknown revision 1.9.2-20250521205822-0ba0b99665a9
osr-mb-044:tools jiri.ctvrtka$ go get github.com/grafana/[email protected]
go: github.com/grafana/[email protected]: invalid version: unknown revision 0.1.9.2-20250521205822-0ba0b99665a9

@JiriCtvrtka
Copy link
Collaborator Author

JiriCtvrtka commented Dec 17, 2025

@JiriCtvrtka i think PR should be against pmm-3.4.1 branch since:

  • it's the branch on pmm-submodules.
  • we haven't tested/updated pmm to use changes from main branch (e.g encryption).

@idoqo I see, ok let me fix it.

@JiriCtvrtka JiriCtvrtka changed the base branch from main to pmm-3.4.1 December 17, 2025 08:36
@JiriCtvrtka
Copy link
Collaborator Author

JiriCtvrtka commented Dec 17, 2025

We agreed to merge this PR and then review the new vulnerability report. If needed, another iteration will be done.

@JiriCtvrtka JiriCtvrtka merged commit a11ab7f into percona:pmm-3.4.1 Dec 17, 2025
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@idoqo idoqo idoqo left review comments

@ademidoff ademidoff ademidoff approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JiriCtvrtka @ademidoff @idoqo