Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade CNI plugins from v1.1.1 to v1.3.0 #5747

Merged
merged 1 commit into from
Dec 1, 2023
Merged

Upgrade CNI plugins from v1.1.1 to v1.3.0 #5747

merged 1 commit into from
Dec 1, 2023

Conversation

antoninbas
Copy link
Contributor

This will use a more recent build of the plugin binaries, and reduce the number of CVEs reported by security scanners.

@antoninbas
Upgrade CNI plugins from v1.1.1 to v1.3.0
6c679bc 
This will use a more recent build of the plugin binaries, and reduce the
number of CVEs reported by security scanners.

Signed-off-by: Antonin Bas <abas@vmware.com>
@antoninbas
Copy link
Contributor Author

Unfortunately, we can still get critical / high CVEs reported, because even this tag is not super recent and the binaries were built using an older Go version (1.20.4):

stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-39323       Critical
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29405       Critical
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29404       Critical
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29402       Critical
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-44487       High
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-39325       High
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29403       High
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-39319       Medium
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-39318       Medium
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29409       Medium
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29406       Medium

The only option would be to use our own build for the plugins that we use, which may be worth considering...

@antoninbas antoninbas added area/dependency Issues or PRs related to dependency changes. area/build-release Issues or PRs related to building and releasing labels Nov 27, 2023
luolanzone
luolanzone approved these changes Dec 1, 2023
View reviewed changes
Copy link
Contributor

@luolanzone luolanzone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LTGM

@wenyingd
Copy link
Contributor

wenyingd commented Dec 1, 2023

Failed to build Windows image since the base-windows image does not exist with the new CNI binary. https://github.com/antrea-io/antrea/actions/runs/7010302755/job/19071011048?pr=5747

@luolanzone
Copy link
Contributor

Failed to build Windows image since the base-windows image does not exist with the new CNI binary. https://github.com/antrea-io/antrea/actions/runs/7010302755/job/19071011048?pr=5747

@wenyingd Is the base Windows image maintained by Antrea? If yes, which part need to be updated for CNI upgrade?

@luolanzone luolanzone mentioned this pull request Dec 1, 2023
Closed
@luolanzone
Copy link
Contributor

I noticed there is already a PR to change the golang version containernetworking/plugins#982 two weeks ago, but no progress yet.

@wenyingd
Copy link
Contributor

wenyingd commented Dec 1, 2023
edited

@wenyingd Is the base Windows image maintained by Antrea? If yes, which part need to be updated for CNI upgrade?

Yes, it is maintained by antrea, the Dockerfile is https://github.com/antrea-io/antrea/blob/main/build/images/base-windows/Dockerfile. I'm afraid it is not automatically update according to the configurations changes, which means we may need to manually push the image? @XinShuYang @tnqn can confirm it.

@antoninbas
Copy link
Contributor Author

@wenyingd I can build the image, we have a workflow for that

@antoninbas
Copy link
Contributor Author

/test-all

@antoninbas antoninbas merged commit 313345a into antrea-io:main Dec 1, 2023
49 of 54 checks passed
@antoninbas antoninbas deleted the upgrade-cni-binaries-version-to-v1.3.0 branch December 1, 2023 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luolanzone luolanzone luolanzone approved these changes

@tnqn tnqn Awaiting requested review from tnqn

Assignees
No one assigned
Labels
area/build-release Issues or PRs related to building and releasing area/dependency Issues or PRs related to dependency changes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@antoninbas @wenyingd @luolanzone