Request a release including Go security fixes for google.golang.org/grpc (GHSA-p77j-4mvh-x3m3)

[svijayam]

What would you like to be added:
A fix for vulnerability [ google.golang.org/grpc (GHSA-p77j-4mvh-x3m3) ] that affects the current kubernetes-sigs/ external-dns:v0.20.0-153-ge1f84844 staging image.

Why is this needed:
google.golang.org/grpc (GHSA-p77j-4mvh-x3m3): A vulnerability where specially crafted requests can cause a denial-of-service (DoS) by crashing or exhausting resources in a gRPC server.

Could you please:
Upgrade google.golang.org/grpc to latest version and Publish a new release of external-dns with those fixes included

[ivankatliarchuk]

How this could crash external-dns, as it's not a grps server ;-).

[ivankatliarchuk]

Please use as part of your scanner https://github.com/google/capslock/ or similar tool

[svijayam]

The library should be upgraded to version 1.79.3 or later of google.golang.org/grpc, this vularability is reported by Trivy Scan

[vflaux]

Trivy only looks at the go.mod file and reports modules with known vulnerabilities. It supports a lot of languages, but it also produces many false positives.
Prefer govulncheck, which actually analyzes the code or the binary.

$ govulncheck ./...
No vulnerabilities found.

[ivankatliarchuk]

#6348

/close

[k8s-ci-robot]

@ivankatliarchuk: Closing this issue.

Details

In response to this:

#6348

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.