Accepting request 1065931 from home:witekbedyk:branches:server:monitoring

- Update prometheus/exporter-toolkit to version 0.7.3
  (bsc#1208065, CVE-2022-46146)
- Require Go 1.19 or newer

OBS-URL: https://build.opensuse.org/request/show/1065931
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/grafana?expand=0&rev=95

0002-Update-exporter-toolkit-to-version-0.7.3.patch

@@ -0,0 +1,23 @@
+From: Witek Bedyk <witold.bedyk@suse.com>
+Subject: [PATCH] Update exporter-toolkit to version 0.7.3
+
+---
+ go.mod | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/go.mod b/go.mod
+index 2572cebe7e..91829bc695 100644
+--- a/go.mod
++++ b/go.mod
+@@ -218,7 +218,7 @@ require (
+ 	github.com/opentracing-contrib/go-stdlib v1.0.0 // indirect
+ 	github.com/pmezard/go-difflib v1.0.0 // indirect
+ 	github.com/prometheus/common/sigv4 v0.1.0 // indirect
+-	github.com/prometheus/exporter-toolkit v0.7.0 // indirect
++	github.com/prometheus/exporter-toolkit v0.7.3 // indirect
+ 	github.com/prometheus/node_exporter v1.0.0-rc.0.0.20200428091818-01054558c289 // indirect
+ 	github.com/prometheus/procfs v0.7.3 // indirect
+ 	github.com/protocolbuffers/txtpbfmt v0.0.0-20201118171849-f6a6b3f636fc // indirect
+-- 
+2.35.3
+

Makefile

@@ -24,7 +24,12 @@ tar:
 	cd $$basename && \
 	# Patches for the JS frontend go after here \
 	patch --no-backup-if-mismatch -p1 -i ../../0001-Add-source-code-reference.patch && \
+	patch --no-backup-if-mismatch -p1 -i ../../0002-Update-exporter-toolkit-to-version-0.7.3.patch && \
 	# End patches section \
+	go mod download && \
+	go mod verify && \
+	go mod vendor && \
+	tar --format=posix -cf ../../vendor.tar vendor && \
 	# avoid ".git can't be found" \
 	git init && \
 	# avoid "FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory" \
@@ -36,4 +41,5 @@ tar:
 	tar -rf ../$$tar $$basename/public && \
 	cd .. && \
 	gzip $$tar && \
+	gzip -f vendor.tar && \
 	rm -rf $$tmpdir

_service

@@ -15,5 +15,4 @@
   <service name="set_version" mode="disabled">
     <param name="basename">grafana</param>
   </service>
-  <service name="go_modules" mode="disabled"/>
 </services>

grafana-8.5.20.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:5250d3fa4a312d88dd1f5e2554043f70e403e6adaee92ecc40307d7f9ecf9243
-size 51575837
+oid sha256:6834e2b3b963b145af8f908d235c0845e72e8d4af2f04bde6c7cd8641a10cf38
+size 72011745

grafana.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Feb 15 08:35:28 UTC 2023 - Witek Bedyk <witold.bedyk@suse.com>
+
+- Add 0002-Update-exporter-toolkit-to-version-0.7.3.patch
+  (bsc#1208065, CVE-2022-46146)
+- Require Go 1.19 or newer
+
 -------------------------------------------------------------------
 Mon Feb 06 09:12:33 UTC 2023 - witold.bedyk@suse.com
 

grafana.spec

@@ -36,11 +36,13 @@ Source3:        README
 # Makefile to automate build process
 Source4:        Makefile
 Source5:        0001-Add-source-code-reference.patch
+# CVE-2022-46146 bsc#1208065
+Patch0:         0002-Update-exporter-toolkit-to-version-0.7.3.patch
 BuildRequires:  fdupes
 BuildRequires:  git-core
 BuildRequires:  golang-packaging
 BuildRequires:  wire
-BuildRequires:  golang(API) >= 1.17
+BuildRequires:  golang(API) >= 1.19
 Requires(post): %fillup_prereq
 Requires:       group(grafana)
 Requires:       user(grafana)
@@ -61,6 +63,7 @@ dashboards and data with teams.
 %prep
 %setup -q -n grafana-%{version}
 %setup -q -T -D -a 1 -n grafana-%{version}
+%patch0 -p1
 
 %build
 %goprep github.com/grafana/grafana

vendor.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:e1085edc2bb688d98424321e77970b4beaa211a54a4242b04765df7f10c5c30e
-size 19677383
+oid sha256:a418f8ec6a2ac62838fe0a2707b4e547136ba2adac93fd06d2f35acdc012cc8f
+size 20406957