github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
c7f7fa5390
containerd/api
History
Sebastiaan van Stijn cb38b1e2be
api: update github.com/containerd/ttrpc v1.2.5 
Update the dependency and the indirect golang.org/x/net version to align
with containerd itself, and to prevent a vulnerability being detected.

We should keep the versions <= versions used by containerd 1.7 to prevent
forcing users of containerd 1.7 in combination with the latest version
of the API module from having to update all their dependencies, but
this update should likely be fine (and aligns with 1.7).

Before this:

    Scanning your code and 254 packages across 15 dependent modules for known vulnerabilities...

    === Symbol Results ===

    Vulnerability #1: GO-2024-2687
        HTTP/2 CONTINUATION flood in net/http
      More info: https://pkg.go.dev/vuln/GO-2024-2687
      Module: golang.org/x/net
        Found in: golang.org/x/net@v0.21.0
        Fixed in: golang.org/x/net@v0.23.0
        Example traces found:
          #1: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ConnectionError.Error
          #2: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ErrCode.String
          #3: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameHeader.String
          #4: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameType.String
          #5: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.Setting.String
          #6: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.SettingID.String
          #7: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.StreamError.Error
          #8: services/content/v1/content_ttrpc.pb.go:272:35: content.ttrpccontentClient.Write calls ttrpc.Client.NewStream, which eventually calls http2.chunkWriter.Write
          #9: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.connError.Error
          #10: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error
          #11: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error
          #12: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error
          #13: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error
          #14: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.writeData.String

    Your code is affected by 1 vulnerability from 1 module.
    This scan also found 0 vulnerabilities in packages you import and 3
    vulnerabilities in modules you require, but your code doesn't appear to call
    these vulnerabilities.
    Use '-show verbose' for more details.

After this:

    govulncheck ./...
    Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities...

    === Symbol Results ===

    No vulnerabilities found.

    Your code is affected by 0 vulnerabilities.
    This scan also found 0 vulnerabilities in packages you import and 3
    vulnerabilities in modules you require, but your code doesn't appear to call
    these vulnerabilities.
    Use '-show verbose' for more details.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-20 16:53:50 +02:00
..
events Make api a Go sub-module 2024-05-02 11:03:00 -07:00
releases Prepare release notes for api/v1.8.0 2024-05-03 16:51:50 -07:00
runtime Make api a Go sub-module 2024-05-02 11:03:00 -07:00
services Add type alias for event Envelope 2024-05-29 11:10:57 -07:00
types Make api a Go sub-module 2024-05-02 11:03:00 -07:00
1.0.pb.txt Remove the executable bit for api/*.txt files 2020-02-19 16:32:52 +07:00
1.1.pb.txt Remove the executable bit for api/*.txt files 2020-02-19 16:32:52 +07:00
1.2.pb.txt Remove the executable bit for api/*.txt files 2020-02-19 16:32:52 +07:00
doc.go Introduce a new go module - containerd/api for use in standalone clients 2021-07-27 07:34:59 -04:00
go.mod api: update github.com/containerd/ttrpc v1.2.5 2024-06-20 16:53:50 +02:00
go.sum api: update github.com/containerd/ttrpc v1.2.5 2024-06-20 16:53:50 +02:00
next.pb.txt Make api a Go sub-module 2024-05-02 11:03:00 -07:00
Protobuild.toml Update protobuild to build ttrpc services 2024-02-21 14:22:25 -08:00
README.md Minor typo fix. 2017-08-10 06:23:21 +00:00

README.md

This directory contains the GRPC API definitions for containerd.

All defined services and messages have been aggregated into *.pb.txt descriptors files in this directory. Definitions present here are considered frozen after the release.

At release time, the current next.pb.txt file will be moved into place to freeze the API changes for the minor version. For example, when 1.0.0 is released, next.pb.txt should be moved to 1.0.txt. Notice that we leave off the patch number, since the API will be completely locked down for a given patch series.

We may find that by default, protobuf descriptors are too noisy to lock down API changes. In that case, we may filter out certain fields in the descriptors, possibly regenerating for old versions.

This process is similar to the process used to ensure backwards compatibility in Go.