Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release 1.13] Bump github.com/go-jose/go-jose to v3.0.3 to fix CVE-2024-28180 #6857

Merged
merged 2 commits into from
Mar 15, 2024
Merged

[Release 1.13] Bump github.com/go-jose/go-jose to v3.0.3 to fix CVE-2024-28180 #6857

merged 2 commits into from
Mar 15, 2024

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Mar 14, 2024
edited

Porting #6854 to the release-1.13 branch:

To perform the upgrade I ran:

find . -name go.mod -execdir go get github.com/go-jose/go-jose/v3@v3.0.3 \;                                                              
make tidy

Testing

Before:

$ make trivy-scan-controller
...
  "Results": [
    {
      "Target": "_bin/containers/cert-manager-controller-linux-amd64.tar (debian 11.9)",
      "Class": "os-pkgs",
      "Type": "debian"
    },
    {
      "Target": "app/cmd/controller/controller",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-28180",
          "PkgName": "github.com/go-jose/go-jose/v3",
          "InstalledVersion": "v3.0.1",
          "FixedVersion": "3.0.3",
...

After:

$ make trivy-scan-controller
...

$ echo $?
0

/kind cleanup

Bump github.com/go-jose/go-jose to v3.0.3 to fix CVE-2024-28180

@wallrj
Bump github.com/go-jose/go-jose to v3.0.3 to fix CVE-2024-28180
0b4cded 
find . -name go.mod -execdir go get github.com/go-jose/go-jose/v3@v3.0.3 \;
make tidy

Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make update-licenses
9b3d7ab 
 make vendor-go
 make update-licenses

Signed-off-by: Richard Wall <richard.wall@venafi.com>
@jetstack-bot jetstack-bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/acme Indicates a PR directly modifies the ACME Issuer code area/testing Issues relating to testing size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 14, 2024
@wallrj wallrj changed the title Bump github.com/go-jose/go-jose to v3.0.3 to fix CVE-2024-28180 [Release 1.13] Bump github.com/go-jose/go-jose to v3.0.3 to fix CVE-2024-28180 Mar 14, 2024
@inteon
Copy link
Member

inteon commented Mar 15, 2024

/approve
/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 15, 2024
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 15, 2024
@jetstack-bot jetstack-bot merged commit abb08d3 into cert-manager:release-1.13 Mar 15, 2024
7 checks passed
@wallrj wallrj deleted the release-1.13-bump-go-jose-CVE-2024-28180 branch March 15, 2024 08:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme Indicates a PR directly modifies the ACME Issuer code area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wallrj @inteon @jetstack-bot