Re: [prometheus-developers] How Prometheus uses go-restful ?

[Jian Xue]

Thanks Matthias for the input, yes, I was expecting K8S client libraries would need go-restful, but if you look at the go-restful versions client-go and kube-openapi depend on, they are different from what Prometheus’s one, which is v2.16.0. It looks like Prometheus uses it somewhere under the hood, but I could not figure out that dependancy chain yet. As to the trigger of this question, yeah, Tristan is right, couples of vulnerabilities are reported on go-restful, and I want to know whether Prometheus is affected or not. Thanks  BRs /Gavin On 11 Feb 2023, at 02:10, Tristan Colgate <tcolg...@gmail.com> wrote:  This is probably due to GitHub dependabot currently flagging a security issue with go-restful (I hit the same issue yesterday). On Fri, 10 Feb 2023 at 09:13, Matthias Rampke <matth...@prometheus.io> wrote: You are on the right track with go mod graph: go-restful is a dependency of k8s.io/client-go and k8s.io/kube-openapi, so colloquially "the Kubernetes client library". Prometheus uses it for service discovery, fetching information about pods, endpoints, and services. From a cursory look through github.com/kubernetes, it seems that it is only actually called on the kube-apiserver side, so Prometheus should not encounter any of it, but don't take my word for it. I am curious now, can you share why you are interested in go-restful? 😄 Best, Matthias On Fri, Feb 10, 2023 at 9:59 AM Gavin <gavine...@gmail.com> wrote: Hello Prometheus team, May I have a question about how Prometheus uses go-restful ? We are using Prometheus 2.38.0 and from the binary, we can see go-restful is compiled. $go version -m prometheus |grep go-restful       dep   github.com/emicklei/go-restful      v2.16.0+incompatible    h1:rgqiKNjTnFQA6kkhFe16D8epTksy9HQ1MyrbDXSdYhM= I did grep on Prometheus source code, and failed to find where go-restful is invoked, 'go mod why', 'go mod graph' and 'go list 'don't help much either. prometheus $ [v2.38.0] [] $ go mod graph |grep go-restful github.com/prometheus/prometheus github.com/emicklei/go-restful@v2.16.0+incompatible k8s.io/client-go@v0.24.3 github.com/emicklei/go-restful@v2.9.5+incompatible k8s.io/kube-openapi@v0.0.0-20220328201542-3ee0da9b0b42 github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633 It would be highly appreciated if you could pinpoint why/where go-restful is used. Thanks! BRs /Gavin -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/9c7b9160-b8ce-42cd-bf78-1d0ee48ed638n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAMV%3D_gYk7BFQHaHtffU1Ze4ztrd-5O7%2BMKFnXXLdz5V5LJjDvQ%40mail.gmail.com. -- Tristan Colgate-McFarlane ---- -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/78662C2C-3E8C-432A-9513-91514FFB9E8A%40gmail.com.