Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[0.11.x] Bump deps and go version for CVE fixes #1411

Merged
merged 3 commits into from
Nov 23, 2023
Merged

[0.11.x] Bump deps and go version for CVE fixes #1411

merged 3 commits into from
Nov 23, 2023

Conversation

chenbh
Copy link
Contributor

@chenbh chenbh commented Nov 23, 2023

There's still 2 CVEs left, but bumping them is non-trivial and IMO not worth the hassle

┌───────────────────────────────┬─────────────────────┬──────────┬────────┬─────────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│            Library            │    Vulnerability    │ Severity │ Status │  Installed Version  │ Fixed Version │                         Title                          │
├───────────────────────────────┼─────────────────────┼──────────┼────────┼─────────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ github.com/docker/docker      │ GHSA-jq35-85cj-fj4p │ MEDIUM   │ fixed  │ 23.0.4+incompatible │ 24.0.7        │ /sys/devices/virtual/powercap accessible by default to │
│                               │                     │          │        │                     │               │ containers                                             │
│                               │                     │          │        │                     │               │ https://github.com/advisories/GHSA-jq35-85cj-fj4p      │
├───────────────────────────────┼─────────────────────┼──────────┤        ├─────────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ github.com/sigstore/cosign/v2 │ CVE-2023-46737      │ LOW      │        │ 2.0.2               │ 2.2.1         │ cosign: potential denial of service by an              │
│                               │                     │          │        │                     │               │ attacker-controlled registry                           │
│                               │                     │          │        │                     │               │ https://avd.aquasec.com/nvd/cve-2023-46737             │
└───────────────────────────────┴─────────────────────┴──────────┴────────┴─────────────────────┴───────────────┴────────────────────────────────────────────────────────┘
  • github.com/docker/docker: Only affects docker daemon, we're using it as a library
  • github.com/sigstore/cosign/v2: Bumping this requires k8s api v0.28, which is something we're not doing in a patch release

@chenbh chenbh requested a review from a team as a code owner November 23, 2023 16:56
@chenbh
setup go toolchain for unit test workflow
6ce0bc7 
i think we were relying on the go toolchain available inside the runner
image, which could be out of date. Instead we should use the setup-go
action which should have the latest version of the toolchain

Signed-off-by: Bohan Chen <bohanc@vmware.com>
@chenbh
add setup-go action to the pack-build action
02070cd 
otherwise it'll use the system toolchain to run report.go, which will
fail when it encounters the new `toolchain` directive in the root go.mod

Signed-off-by: Bohan Chen <bohanc@vmware.com>
@codecov-commenter
Copy link

codecov-commenter commented Nov 23, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (ed579c9) 67.83% compared to head (8bf16f2) 67.83%.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@               Coverage Diff                @@
##           release/v0.11.x    #1411   +/-   ##
================================================
  Coverage            67.83%   67.83%           
================================================
  Files                  132      132           
  Lines                 8071     8071           
================================================
  Hits                  5475     5475           
  Misses                2166     2166           
  Partials               430      430

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@chenbh
bump deps and go version due to cves
8bf16f2 
Signed-off-by: Bohan Chen <bohanc@vmware.com>
@chenbh chenbh merged commit fb80b5b into release/v0.11.x Nov 23, 2023
15 checks passed
@chenbh chenbh deleted the 0-11-4-dep-bump branch November 23, 2023 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomkennedy513 tomkennedy513 tomkennedy513 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@chenbh @codecov-commenter @tomkennedy513