Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

versions: Bump golang #1728

Merged
merged 3 commits into from
Mar 12, 2024
Merged

versions: Bump golang #1728

merged 3 commits into from
Mar 12, 2024

Conversation

stevenhorsman
Copy link
Member

@stevenhorsman stevenhorsman mentioned this pull request Mar 6, 2024
Merged
@mkulke mkulke mentioned this pull request Mar 6, 2024
Merged
@stevenhorsman stevenhorsman force-pushed the bump-go-1.21.8 branch 2 times, most recently from f24f08e to fcc2e39 Compare March 6, 2024 13:30
@liudalibj
Copy link
Member

liudalibj commented Mar 7, 2024
edited

@stevenhorsman to fix the error from govulncheck for csi-wrapper please try follow

volumes/csi-wrapper
go get github.com/golang/protobuf@v1.5.4
go mod tidy

the output looks like:

go: downloading github.com/golang/protobuf v1.5.4
go: downloading google.golang.org/protobuf v1.33.0
go: module github.com/golang/protobuf is deprecated: Use the "google.golang.org/protobuf" module instead.
go: upgraded github.com/golang/protobuf v1.5.3 => v1.5.4
go: upgraded google.golang.org/protobuf v1.30.0 => v1.33.0

After this

cd ../../
make govulncheck
./hack/govulncheck.sh -v
Found the following Go modules:
  ./webhook
  ./peerpod-ctrl
  ./volumes/csi-wrapper
  .
  ./podvm
  ./peerpodconfig-ctrl

Excluded the following Go modules because they are gitignored:

Checking 6 Go modules:
  ./webhook
  ./peerpod-ctrl
  ./volumes/csi-wrapper
  .
  ./podvm
  ./peerpodconfig-ctrl

=============./webhook
Scanning your code and 587 packages across 70 dependent modules for known vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
=============./peerpod-ctrl
Scanning your code and 681 packages across 76 dependent modules for known vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 1 vulnerability in packages you import and 5
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
=============./volumes/csi-wrapper
Scanning your code and 466 packages across 52 dependent modules for known vulnerabilities...

No vulnerabilities found.
=============.
Scanning your code and 1054 packages across 145 dependent modules for known vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 1 vulnerability in packages you import and 6
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
=============./podvm
No packages matching the provided pattern.

No vulnerabilities found.
=============./peerpodconfig-ctrl
Scanning your code and 587 packages across 60 dependent modules for known vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.

@stevenhorsman
Copy link
Member Author

The golvuln is fixed now, but we are hitting typecheck errors in the linting check now, I guess due to differences in the package we've upgraded, so I'll dig into those more when I get a chance later.

bpradipt
bpradipt approved these changes Mar 7, 2024
View reviewed changes
Copy link
Member

@bpradipt bpradipt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@stevenhorsman
Copy link
Member Author

@liudalibj - I wonder if you can help with the issues I'm seeing on this PR now. After doing your suggested changes the govuln is clean, but I get thousands of lint errors now as some of them are in the generated csi-wrapper code I tried re-running go mod vendor and ./examples/update-codegen.sh but they don't seem to make any difference. Do you have any ideas?

@liudalibj
Copy link
Member

@liudalibj - I wonder if you can help with the issues I'm seeing on this PR now. After doing your suggested changes the govuln is clean, but I get thousands of lint errors now as some of them are in the generated csi-wrapper code I tried re-running go mod vendor and ./examples/update-codegen.sh but they don't seem to make any difference. Do you have any ideas?

I will take a look on this issue today.

stevenhorsman and others added 2 commits March 12, 2024 11:07
@stevenhorsman @liudalibj
versions: Bump golang
58d8124 
Bump to go 1.21.8 to resolve CVEs:
- https://pkg.go.dev/vuln/GO-2024-2600
- https://pkg.go.dev/vuln/GO-2024-2599
- https://pkg.go.dev/vuln/GO-2024-2598
- https://pkg.go.dev/vuln/GO-2024-2610

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman @liudalibj
csi-wrapper/versions: Bump google.golang.org/protobuf
6290099 
- Bump google.golang.org/protobuf dependency to 1.33
to fix:
- https://pkg.go.dev/vuln/GO-2024-2611

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Co-authored-by: Da Li Liu <liudali@cn.ibm.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@liudalibj
golintci: bump version to 1.56.2
67f6fa6 
try to fix go lint issue

Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
liudalibj
liudalibj approved these changes Mar 12, 2024
View reviewed changes
Copy link
Member

@liudalibj liudalibj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@liudalibj
Copy link
Member

@liudalibj - I wonder if you can help with the issues I'm seeing on this PR now. After doing your suggested changes the govuln is clean, but I get thousands of lint errors now as some of them are in the generated csi-wrapper code I tried re-running go mod vendor and ./examples/update-codegen.sh but they don't seem to make any difference. Do you have any ideas?

I will take a look on this issue today.

@stevenhorsman the lint issue is fixed by using the latest golint version 1.56.2, please double check and continue.

@stevenhorsman
Copy link
Member Author

@stevenhorsman the lint issue is fixed by using the latest golint version 1.56.2, please double check and continue.

Thanks so much - I was obviously following red herrings looking at the generated code!

@stevenhorsman stevenhorsman merged commit eeb3184 into confidential-containers:main Mar 12, 2024
18 checks passed
@stevenhorsman stevenhorsman deleted the bump-go-1.21.8 branch March 12, 2024 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkulke mkulke mkulke approved these changes

@bpradipt bpradipt bpradipt approved these changes

@liudalibj liudalibj liudalibj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@stevenhorsman @liudalibj @mkulke @bpradipt