- What Grafana version and what operating system are you using?
Building from source using the latest tag (v10.2.0 as of 11/7/23) on Docker 4.25.0 on OSX 13.6.1
- What are you trying to achieve?
Grafana is currently built with the following:
replace go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0
which contains several CVE’s:
These are resolved in otelhttp v0.44.0 and later. I’m attempting to resolve this by updating the replace statement to use otelhttp v0.44.0 (I have also tried v0.45.0 which is the latest)
replace go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0
- How are you trying to achieve it?
Running docker build . -t in the source root after updating the go.mod file to reference the new otelhttp
- What happened?
Initially I received an error re: the package missing a reference in the go.sum file; adding an additional command to run:
RUN go mod tidy
prior to the
RUN go mod download
command in the Dockerfile resolves this issue but results in the following errors from the. wire gen step:
[29/31] RUN wire gen -tags oss ./pkg/server ./pkg/cmd/grafana-cli/runner:
14.17 wire: /tmp/grafana/pkg/server/module_server.go:12:2: could not import github.com/grafana/dskit/services (invalid package name: “”)
14.17 wire: /tmp/grafana/pkg/server/server.go:14:2: could not import The Go Programming Language (invalid package name: “”)
14.17 wire: /tmp/grafana/pkg/server/wire.go:10:2: could not import GitHub - google/wire: Compile-time Dependency Injection for Go (invalid package name: “”)
14.17 wire: /tmp/grafana/pkg/server/wire.go:12:16: could not import github.com/grafana/grafana-plugin-sdk-go/backend/httpclient (invalid package name: “”)
14.17 wire: generate failed
I’m quite new to Go and I’m afraid I’ve run into a wall trying to work around this issue to resolve the CVE’s.