apitech
/
loki
mirror of https://github.com/grafana/loki
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Like Prometheus, but for logs.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6340 Commits
1071 Branches
354 Tags
720 MiB
Tag: Branch: Tree: 36e3d7ea61
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '36e3d7ea61'
${ noResults }
loki/docs/sources/community/maintaining/release/patch-vulnerabilities.md

61 lines
1.9 KiB
Raw Normal View History Unescape

doc: Add patching vulnerabilities step on release doc (#10710) **What this PR does / why we need it**: Follow up to other release related docs #10646 https://github.com/grafana/loki/pull/10676 Goal is make the doc complete for all type of Loki releases. Stable/Patch/Security releases. Changes: 1. Two new docs a. Patch-Vulnerabilities Overview - patching go dependencies, Go compiler and Docker images b. Patch-Go-Version - How to patch Go version on both loki build image and loki binaries. 2. Renamed files to remove number prefix on the file name e.g: `1-create-release-branch` to just `create-release-branch`. Makes it easy to add more docs without much change. **Which issue(s) this PR fixes**: Fixes #<issue number> **Special notes for your reviewer**: Follow up to other release related docs #10646 https://github.com/grafana/loki/pull/10676 **Checklist** - [x] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (**required**) - [x] Documentation added --------- Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com>
2 years ago
---
title: Patch vulnerabilities
description: Describes the procedure how to patch Loki to mitigate vulnerabilities.
---
# Patch vulnerabilities
This step patches vulnerabilities in Grafana Loki binaries and Docker images.
## Before you begin
1. Determine the [VERSION_PREFIX]({{< relref "./concepts/version" >}}).
Vulnerabilities can be from two main sources.
1. Grafana Loki source code.
1. Grafana Loki dependencies.
Grafana Loki dependencies can be
1. Go dependencies in `go.mod`
1. The Go compiler itself
1. Grafana Loki Docker dependencies, for example, the base images
Before start patching vulnerabilities, know what are you patching. It can be one or more from sources mentioned above. Use `#security-go`, `#security` slack channels to clarify.
## Steps
1. Patch Grafana Loki source code.
Means, there are vulnerabilities in Grafana Loki source code itself.
1. Patch it on `main` branch
1. [Backport]({{< relref "./backport-commits" >}}) to `release-$VERSION_PREFIX` branch.
1. Patch Go dependencies.
1. Pick all the Go dependencies that need to be patched.
1. Check if [dependabot already patched the dependency](https://github.com/grafana/loki/pulls?q=is%3Apr+label%3Adependencies+is%3Aclosed) or [have a PR opened to patch](https://github.com/grafana/loki/pulls?q=is%3Apr+is%3Aopen+label%3Adependencies) . If not, manually upgrade the package on the `main` branch as follows.
```shell
go get -u -v <package-path>@<patched-version>
go mod tidy
go mod vendor
```
1. [Backport]({{< relref "./backport-commits" >}}) it to `release-$VERSION_PREFIX` branch.
1. Repeat for each Go dependency
1. [Patch Go compiler]({{< relref "./patch-go-version" >}}).
1. Patch Grafana Loki Docker dependencies, for example: Alphine Linux base images).
1. Update Docker image version. [Example PR](https://github.com/grafana/loki/pull/10573).
1. [Backport]({{< relref "./backport-commits" >}}) to `release-$VERSION_PREFIX` branch