ContextQMD
Back to Loki

Patch vulnerabilities

docs/sources/community/maintaining/release/patch-vulnerabilities.md

3.7.11.7 KB
Original Source

Patch vulnerabilities

This step patches vulnerabilities in Grafana Loki binaries and Docker images.

Before you begin

  1. Determine the VERSION_PREFIX.

Vulnerabilities can be from two main sources.

  1. Grafana Loki source code.

  2. Grafana Loki dependencies.

Grafana Loki dependencies can be

  1. Go dependencies in go.mod

  2. The Go compiler itself

  3. Grafana Loki Docker dependencies, for example, the base images

Before start patching vulnerabilities, know what are you patching. It can be one or more from sources mentioned above. Use #security-go, #security slack channels to clarify.

Steps

  1. Patch Grafana Loki source code.

    Means, there are vulnerabilities in Grafana Loki source code itself.

    1. Patch it on main branch

    2. Backport to release-$VERSION_PREFIX branch.

  2. Patch Go dependencies.

    1. Pick all the Go dependencies that need to be patched.

    2. Check if dependabot already patched the dependency or have a PR opened to patch . If not, manually upgrade the package on the main branch as follows.

      shell
      go get -u -v <PACKAGE_PATH>@<PATCHED_VERSION>
go mod tidy
go mod vendor

    3. Backport it to release-$VERSION_PREFIX branch.

    4. Repeat for each Go dependency

  3. Patch Go compiler.

  4. Patch Grafana Loki Docker dependencies, for example: Alphine Linux base images).

    1. Update Docker image version. Example PR.

    2. Backport to release-$VERSION_PREFIX branch