I couldn't find any other reference except for the "// indirect" dependency in go.mod. I think that line means we are forcing a newer but compatible version of go-restful than we would naturally get through the kube client dependency? I'm not very fluent in Go modules though, so if anyone else knows…?
/MR On Fri, 10 Feb 2023, 23:03 Jian Xue, <[email protected]> wrote: > Thanks Matthias for the input, yes, I was expecting K8S client libraries > would need go-restful, but if you look at the go-restful versions client-go > and kube-openapi depend on, they are different from what Prometheus’s one, > which is v2.16.0. It looks like Prometheus uses it somewhere under the > hood, but I could not figure out that dependancy chain yet. > > As to the trigger of this question, yeah, Tristan is right, couples of > vulnerabilities are reported on go-restful, and I want to know whether > Prometheus is affected or not. > > Thanks > > BRs > /Gavin > > > > On 11 Feb 2023, at 02:10, Tristan Colgate <[email protected]> wrote: > > > This is probably due to GitHub dependabot currently flagging a security > issue with go-restful (I hit the same issue yesterday). > > On Fri, 10 Feb 2023 at 09:13, Matthias Rampke <[email protected]> > wrote: > >> You are on the right track with go mod graph: go-restful is a dependency >> of k8s.io/client-go and k8s.io/kube-openapi, so colloquially "the >> Kubernetes client library". Prometheus uses it for service discovery, >> fetching information about pods, endpoints, and services. From a cursory >> look through github.com/kubernetes >> <https://cs.github.com/?q=org%3Akubernetes+go-restful&p=5&pt=95635d459e0c25fdd23327d2aafd76e1f37667b598be932cf35f694610b9e2fdf25d33e2091317b4ac9ab081a73c33fb776e90bf43b358ccf8565727b3f565af4626586ae6c28a4f093334dae79e5902c0585106a7c18533377316a7ed7ed3707c35cfb5c6cefeec6a6bf460e6d647ef3efaff12d0e8f030086105ec53f721c80b8f6ef53f1b2a14a5056bba204cfd393caa86738516c15447179894b1d4c306b2eff7f90304288c1a6c77e4fe4c78d28ff57c899caf2022ee5307c5557005db6805dd6cdadf95e112f02963229e83c1650497d49955865324acdbcb5fe1022ffff1fe4086dd34dd004f2f61932b84a0bbd9389c3a8d765f1a5a7696b1a730b888cf34251395a7e13d938d87f3720eca3e989d8a24f0a3451a6c12e134fda00a78ca4e393e1c7983f67c1292ae451465e2726d9d5464f0944d6248f8be7106c441b2b7fadff735dc91161d5cdae0d714ea5039c73703981936c01cf2c7d2e4912d428bcd766b1cd7f9ab1f13ccc1b70882598ed5db908d4861f53c18ba6afbd5829b801d50dbade208b5726b8f396b05&scope=&scopeName=All+repos>, >> it seems that it is only actually *called* on the kube-apiserver side, >> so Prometheus should not encounter any of it, but don't take my word for it. >> >> I am curious now, can you share why you are interested in go-restful? 😄 >> >> Best, >> Matthias >> >> >> >> On Fri, Feb 10, 2023 at 9:59 AM Gavin <[email protected]> wrote: >> >>> Hello Prometheus team, >>> >>> May I have a question about how Prometheus uses go-restful ? >>> >>> We are using Prometheus 2.38.0 and from the binary, we can see >>> go-restful is compiled. >>> >>> $go version -m prometheus |grep go-restful >>> dep github.com/emicklei/go-restful >>> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-93b88ba1585bcc50&q=1&e=0b06f888-fcaa-4df9-97aa-bff71ddd877f&u=http%3A%2F%2Fgithub.com%2Femicklei%2Fgo-restful> >>> v2.16.0+incompatible h1:rgqiKNjTnFQA6kkhFe16D8epTksy9HQ1MyrbDXSdYhM= >>> >>> I did grep on Prometheus source code, and failed to find where >>> go-restful is invoked, 'go mod why', 'go mod graph' and 'go list 'don't >>> help much either. >>> >>> prometheus $ [v2.38.0] [] $ go mod graph |grep go-restful >>> >>> github.com/prometheus/prometheus >>> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c33587582a4a88bd&q=1&e=0b06f888-fcaa-4df9-97aa-bff71ddd877f&u=http%3A%2F%2Fgithub.com%2Fprometheus%2Fprometheus> >>> github.com/emicklei/[email protected]+incompatible >>> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-393d0419c214a867&q=1&e=0b06f888-fcaa-4df9-97aa-bff71ddd877f&u=http%3A%2F%2Fgithub.com%2Femicklei%2Fgo-restful%40v2.16.0%2Bincompatible> >>> >>> k8s.io/[email protected] >>> github.com/emicklei/[email protected]+incompatible >>> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-55c83c6042a445e0&q=1&e=0b06f888-fcaa-4df9-97aa-bff71ddd877f&u=http%3A%2F%2Fgithub.com%2Femicklei%2Fgo-restful%40v2.9.5%2Bincompatible> >>> >>> k8s.io/[email protected] >>> github.com/emicklei/[email protected] >>> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-1574f85b7eb8631a&q=1&e=0b06f888-fcaa-4df9-97aa-bff71ddd877f&u=http%3A%2F%2Fgithub.com%2Femicklei%2Fgo-restful%40v0.0.0-20170410110728-ff4f55a20633> >>> >>> It would be highly appreciated if you could pinpoint why/where >>> go-restful is used. >>> >>> Thanks! >>> >>> BRs >>> >>> /Gavin >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Prometheus Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/prometheus-developers/9c7b9160-b8ce-42cd-bf78-1d0ee48ed638n%40googlegroups.com >>> <https://groups.google.com/d/msgid/prometheus-developers/9c7b9160-b8ce-42cd-bf78-1d0ee48ed638n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Prometheus Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/prometheus-developers/CAMV%3D_gYk7BFQHaHtffU1Ze4ztrd-5O7%2BMKFnXXLdz5V5LJjDvQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/prometheus-developers/CAMV%3D_gYk7BFQHaHtffU1Ze4ztrd-5O7%2BMKFnXXLdz5V5LJjDvQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Tristan Colgate-McFarlane > ---- > > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAMV%3D_gY-H6BZUEFyS8xELSmOJ9%3D_Tbix7NFMnO-jx3k18-bZbA%40mail.gmail.com.
