diff --git a/build/components/versions.yml b/build/components/versions.yml index ad14209056..89a1b119d5 100644 --- a/build/components/versions.yml +++ b/build/components/versions.yml @@ -3,8 +3,8 @@ firmware: libvirt: v10.9.0 edk2: stable202411 core: - 3p-kubevirt: v1.3.1-v12n.15 - 3p-containerized-data-importer: v1.60.3-v12n.10 + 3p-kubevirt: v1.3.1-v12n.17 + 3p-containerized-data-importer: v1.60.3-v12n.11 distribution: 2.8.3 package: acl: v2.3.1 diff --git a/images/cdi-artifact/werf.inc.yaml b/images/cdi-artifact/werf.inc.yaml index 56992bb8b9..28dbe2e068 100644 --- a/images/cdi-artifact/werf.inc.yaml +++ b/images/cdi-artifact/werf.inc.yaml @@ -35,8 +35,8 @@ secrets: shell: install: - | - echo "Git clone CDI repository..." - git clone --depth 1 --branch {{ $version }} $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer + echo "Git clone {{ $gitRepoName }} repository..." + git clone --depth=1 --branch {{ $version }} $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer rm -rf /src/containerized-data-importer/.git @@ -81,19 +81,8 @@ shell: cd /containerized-data-importer go mod download - echo Update modules to mitigate CVEs... - - # CVE-2024-45337,CVE-2025-22869 - go get golang.org/x/crypto@v0.38.0 - # CVE-2025-22870, CVE-2025-22872 - go get golang.org/x/net@v0.40.0 - # CVE-2025-27144 - go get github.com/go-jose/go-jose/v3@v3.0.4 - # CVE-2025-22868 - go get golang.org/x/oauth2@v0.27.0 - - go mod tidy go mod vendor + # Apply patch for json-patch from 3p-cdi repo git apply --ignore-space-change --ignore-whitespace patches/replace-op-for-evanphx-json-patch-v5-lib.patch diff --git a/images/dvcr-artifact/go.mod b/images/dvcr-artifact/go.mod index 03a97ead3e..ce1b1dfb34 100644 --- a/images/dvcr-artifact/go.mod +++ b/images/dvcr-artifact/go.mod @@ -40,7 +40,7 @@ require ( github.com/containers/storage v1.55.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v27.1.1+incompatible // indirect + github.com/docker/docker v28.0.0+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect @@ -97,7 +97,7 @@ require ( github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect - github.com/ulikunitz/xz v0.5.12 // indirect + github.com/ulikunitz/xz v0.5.15 // indirect github.com/vbatts/tar-split v0.11.5 // indirect github.com/vmware/govmomi v0.23.1 // indirect go.opencensus.io v0.24.0 // indirect diff --git a/images/dvcr-artifact/go.sum b/images/dvcr-artifact/go.sum index fb9cfa07a9..a7bb733a12 100644 --- a/images/dvcr-artifact/go.sum +++ b/images/dvcr-artifact/go.sum @@ -65,8 +65,8 @@ github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2 github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY= -github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v28.0.0+incompatible h1:Olh0KS820sJ7nPsBKChVhk5pzqcwDR15fumfAd/p9hM= +github.com/docker/docker v28.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -390,8 +390,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc= -github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= +github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= github.com/vmware/govmomi v0.23.1 h1:vU09hxnNR/I7e+4zCJvW+5vHu5dO64Aoe2Lw7Yi/KRg= diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index f76dcf3163..5d2afca419 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -1,9 +1,11 @@ --- # Source https://github.com/kubevirt/kubevirt/blob/v1.3.1/hack/dockerized#L15 {{- $gitRepoName := "3p-kubevirt" }} +{{- $gitRepoUrl := (printf "%s/%s" "deckhouse" $gitRepoName) }} {{- $tag := get $.Core $gitRepoName }} {{- $version := (split "-" $tag)._0 }} + --- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact final: false @@ -13,7 +15,11 @@ secrets: value: {{ $.SOURCE_REPO }} shell: install: - - git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/deckhouse/3p-kubevirt --branch {{ $tag }} /kubevirt + - | + echo "Git clone {{ $gitRepoName }} repository..." + git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} --branch {{ $tag }} /src/kubevirt + + rm -rf /src/kubevirt/.git --- @@ -54,7 +60,7 @@ secrets: value: {{ .GOPROXY }} import: - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact - add: /kubevirt + add: /src/kubevirt to: /kubevirt before: install {{- include "importPackageImages" (list . $builderDependencies.packages "install") -}} @@ -79,30 +85,8 @@ shell: export GOPROXY=$(cat /run/secrets/GOPROXY) mkdir -p ~/.ssh && echo "StrictHostKeyChecking accept-new" > ~/.ssh/config cd /kubevirt - go mod download - go get github.com/opencontainers/runc@v1.1.14 - go get github.com/containers/common@v0.60.4 - - | - echo Download Go modules. go mod download - - echo Update modules to mitigate CVEs... - go get github.com/opencontainers/runc@v1.1.14 - go get github.com/containers/common@v0.60.4 - - go get github.com/go-openapi/strfmt@v0.23.0 - go get github.com/onsi/gomega/matchers/support/goraph/bipartitegraph@v1.34.1 - go get github.com/cilium/ebpf/btf@v0.11.0 - go get github.com/cilium/ebpf/internal@v0.11.0 - - # CVE-2024-45337,CVE-2025-22869 - go get golang.org/x/crypto@v0.38.0 - # CVE-2025-22870, CVE-2025-22872 - go get golang.org/x/net@v0.40.0 - # CVE-2025-22868 - go get golang.org/x/oauth2@v0.27.0 - go mod vendor setup: diff --git a/images/virtualization-artifact/go.mod b/images/virtualization-artifact/go.mod index 81a3b679f6..2a65806fc1 100644 --- a/images/virtualization-artifact/go.mod +++ b/images/virtualization-artifact/go.mod @@ -67,7 +67,7 @@ require ( github.com/coreos/go-semver v0.3.1 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/docker/docker v25.0.6+incompatible // indirect + github.com/docker/docker v28.0.0+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.0 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect @@ -155,6 +155,7 @@ replace ( k8s.io/client-go => k8s.io/client-go v0.33.3 k8s.io/component-base => k8s.io/component-base v0.33.3 k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250701173324-9bd5c66d9911 + kubevirt.io/api => github.com/deckhouse/3p-kubevirt/staging/src/kubevirt.io/api v1.3.1-v12n.17 ) // CVE Replaces diff --git a/images/virtualization-artifact/go.sum b/images/virtualization-artifact/go.sum index 409ba2d635..51c08a412f 100644 --- a/images/virtualization-artifact/go.sum +++ b/images/virtualization-artifact/go.sum @@ -45,14 +45,16 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/deckhouse/3p-kubevirt/staging/src/kubevirt.io/api v1.3.1-v12n.17 h1:IQPK5oGRSONOKPH8TIuDq7vCjbFTj0NEWQzo6ZBD7uY= +github.com/deckhouse/3p-kubevirt/staging/src/kubevirt.io/api v1.3.1-v12n.17/go.mod h1:tCn7VAZktEvymk490iPSMPCmKM9UjbbfH2OsFR/IOLU= github.com/deckhouse/deckhouse/pkg/log v0.0.0-20250226105106-176cd3afcdd5 h1:PsN1E0oxC/+4zdA977txrqUCuObFL3HAuu5Xnud8m8c= github.com/deckhouse/deckhouse/pkg/log v0.0.0-20250226105106-176cd3afcdd5/go.mod h1:Mk5HRzkc5pIcDIZ2JJ6DPuuqnwhXVkb3you8M8Mg+4w= github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0= github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuDEvFVVDafE= github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/docker v25.0.6+incompatible h1:5cPwbwriIcsua2REJe8HqQV+6WlWc1byg2QSXzBxBGg= -github.com/docker/docker v25.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v28.0.0+incompatible h1:Olh0KS820sJ7nPsBKChVhk5pzqcwDR15fumfAd/p9hM= +github.com/docker/docker v28.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8= github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=