Patch vulnerabilities
This step patches vulnerabilities in Grafana Loki binaries and Docker images.
Before you begin
- Determine the VERSION_PREFIX.
Vulnerabilities can be from two main sources.
Grafana Loki source code.
Grafana Loki dependencies.
Grafana Loki dependencies can be
Go dependencies in
go.mod
The Go compiler itself
Grafana Loki Docker dependencies, for example, the base images
Before start patching vulnerabilities, know what are you patching. It can be one or more from sources mentioned above. Use #security-go
, #security
slack channels to clarify.
Steps
Patch Grafana Loki source code.
Means, there are vulnerabilities in Grafana Loki source code itself.
Patch it on
main
branchBackport to
release-$VERSION_PREFIX
branch.
Patch Go dependencies.
Pick all the Go dependencies that need to be patched.
Check if dependabot already patched the dependency or have a PR opened to patch . If not, manually upgrade the package on the
main
branch as follows.go get -u -v <package-path>@<patched-version> go mod tidy go mod vendor
Backport it to
release-$VERSION_PREFIX
branch.Repeat for each Go dependency
Patch Grafana Loki Docker dependencies, for example: Alphine Linux base images).
Update Docker image version. Example PR.
Backport to
release-$VERSION_PREFIX
branch