Skip to content

build: bump vulnerable Go dependencies on release-8.5#1132

Open
vtatai wants to merge 2 commits into
pingcap:release-8.5from
vtatai:github/release-8.5-vuln-version-bumps
Open

build: bump vulnerable Go dependencies on release-8.5#1132
vtatai wants to merge 2 commits into
pingcap:release-8.5from
vtatai:github/release-8.5-vuln-version-bumps

Conversation

@vtatai

@vtatai vtatai commented Jun 24, 2026

Copy link
Copy Markdown

Summary

This PR updates the release-8.5 branch to consume newer Prometheus / OpenTelemetry / Go networking dependencies needed to address vulnerability findings in downstream TiDB monitor reloader images.

The main driver is CVE-2026-39883, reported against go.opentelemetry.io/otel/sdk via the Prometheus dependency chain. The fixed version required by our scanner is newer than the version currently pulled by github.com/prometheus/prometheus v0.55.1, so this bumps Prometheus and related modules.

Changes

  • Bump github.com/prometheus/prometheus to v0.312.0
  • Bump OpenTelemetry modules to v1.44.0
  • Bump Go networking/security modules:
    • golang.org/x/crypto
    • golang.org/x/net
  • Update rulefmt.Parse call sites for the newer Prometheus API:
    • pkg/operator/rules.go
    • reload/server/bizlogic/server.go

Why this is needed

Downstream TiDB monitor reloader images built from this branch are being flagged for CVE-2026-39883 through the Prometheus/OpenTelemetry dependency chain.

Updating only direct OpenTelemetry modules is not enough because the affected dependency path is pulled through Prometheus. Bumping Prometheus brings in the newer compatible OpenTelemetry stack and requires small source compatibility updates for the changed rulefmt API.

Validation

  • go test ./reload/... ./pkg/operator/...
  • git diff --check

@ti-chi-bot

ti-chi-bot Bot commented Jun 24, 2026

Copy link
Copy Markdown

Welcome @vtatai! It looks like this is your first PR to pingcap/monitoring 🎉

@pingcap-cla-assistant

pingcap-cla-assistant Bot commented Jun 24, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@ti-chi-bot ti-chi-bot Bot added the size/XL label Jun 24, 2026
@ti-chi-bot

ti-chi-bot Bot commented Jun 25, 2026

Copy link
Copy Markdown

@dveeden: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dveeden

dveeden commented Jun 25, 2026

Copy link
Copy Markdown

Could you make sure the CLA is signed?

@dveeden

dveeden commented Jun 25, 2026

Copy link
Copy Markdown

govulncheck isn't happy about some things. Could you check the ones related to the rules?

$ govulncheck ./...
govulncheck: loading packages: 
There are errors with the provided package patterns:

/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:94:6: main redeclared in this block
/home/dvaneeden/dev/pingcap/monitoring/cmd/CRD.go:21:6: 	other declaration of main
/home/dvaneeden/dev/pingcap/monitoring/cmd/monitoring.go:74:6: main redeclared in this block
/home/dvaneeden/dev/pingcap/monitoring/cmd/CRD.go:21:6: 	other declaration of main
/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:422:39: not enough arguments in call to rulefmt.Parse
	have ([]byte)
	want ([]byte, bool, model.ValidationScheme, "github.com/prometheus/prometheus/promql/parser".Parser, *slog.Logger)
/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:432:14: cannot use make([]rulefmt.RuleNode, 0, len(group.Rules)) (value of type []rulefmt.RuleNode) as []rulefmt.Rule value in struct literal
/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:455:36: cannot use rule (variable of struct type rulefmt.RuleNode) as rulefmt.Rule value in argument to append

For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.

@tennix tennix left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ti-chi-bot

ti-chi-bot Bot commented Jun 25, 2026

Copy link
Copy Markdown

@tennix: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

LGTM

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ti-chi-bot

ti-chi-bot Bot commented Jun 25, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dveeden, tennix
Once this PR has been reviewed and has the lgtm label, please assign fgksgf for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@csuzhangxc

Copy link
Copy Markdown
Member

govulncheck isn't happy about some things. Could you check the ones related to the rules?

$ govulncheck ./...
govulncheck: loading packages: 
There are errors with the provided package patterns:

/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:94:6: main redeclared in this block
/home/dvaneeden/dev/pingcap/monitoring/cmd/CRD.go:21:6: 	other declaration of main
/home/dvaneeden/dev/pingcap/monitoring/cmd/monitoring.go:74:6: main redeclared in this block
/home/dvaneeden/dev/pingcap/monitoring/cmd/CRD.go:21:6: 	other declaration of main
/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:422:39: not enough arguments in call to rulefmt.Parse
	have ([]byte)
	want ([]byte, bool, model.ValidationScheme, "github.com/prometheus/prometheus/promql/parser".Parser, *slog.Logger)
/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:432:14: cannot use make([]rulefmt.RuleNode, 0, len(group.Rules)) (value of type []rulefmt.RuleNode) as []rulefmt.Rule value in struct literal
/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:455:36: cannot use rule (variable of struct type rulefmt.RuleNode) as rulefmt.Rule value in argument to append

For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.

I think this should be fixed @vtatai

The prometheus v0.55->v0.312 bump changed the rulefmt.Parse signature and
RuleNode->Rule (plain string fields). cmd/main.go was not updated, causing
the govulncheck/compile failure reported in review. Also fixes a latent
RuleNode cast in pkg/operator/rules.go that would panic at runtime.
@dveeden

dveeden commented Jun 29, 2026

Copy link
Copy Markdown

Now it reports this, which should be ignored:

$ govulncheck ./...
govulncheck: loading packages: 
There are errors with the provided package patterns:

/home/dvaneeden/dev/pingcap/monitoring/cmd/main.go:96:6: main redeclared in this block
/home/dvaneeden/dev/pingcap/monitoring/cmd/CRD.go:21:6: 	other declaration of main
/home/dvaneeden/dev/pingcap/monitoring/cmd/monitoring.go:74:6: main redeclared in this block
/home/dvaneeden/dev/pingcap/monitoring/cmd/CRD.go:21:6: 	other declaration of main

For details on package patterns, see https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns.

So this issue is solved now.

@vtatai

vtatai commented Jun 29, 2026

Copy link
Copy Markdown
Author

@dveeden i've signed the CLA, but the check is still flagging it?

@vtatai

vtatai commented Jun 30, 2026

Copy link
Copy Markdown
Author

@CLAassistant check

@dveeden

dveeden commented Jul 1, 2026

Copy link
Copy Markdown

@vtatai did you sign it with the exact same email as what you're using for GitHub?

Update: Looks like it is ok now. It now needs more approvals.

@dveeden

dveeden commented Jul 1, 2026

Copy link
Copy Markdown

/cc @wuhuizuo

@ti-chi-bot ti-chi-bot Bot requested a review from wuhuizuo July 1, 2026 07:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants