Address go-restful CVE-2022-1996 #2547
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Upgrade go-restful to v3 which addresses CVE-2022-1996 * Upgrade containerd to v1.6.16 * Upgrade cnab-go to v1.25.0 * Upgrade docker to v23.0.0-rc.1 * Upgrade buildx to v0.10.2 which required some careful code changes to compile again Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com>
carolynvs
requested review from
VinozzZ,
sgettys and
bdegeeter
as code owners
VinozzZ
reviewed
Feb 2, 2023
| github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 // indirect | ||
| github.com/andybalholm/brotli v1.0.1 // indirect | ||
| github.com/andybalholm/cascadia v1.1.0 // indirect | ||
| github.com/aws/aws-sdk-go-v2 v1.16.3 // indirect |
There was a problem hiding this comment.
I wonder which library is using aws-sdk code
There was a problem hiding this comment.
$ go mod why github.com/aws/aws-sdk-go-v2
# github.com/aws/aws-sdk-go-v2
get.porter.sh/porter/pkg/build/buildkit
github.com/docker/buildx/util/buildflags
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2
There was a problem hiding this comment.
SDKs are the same reason why the k8s codebase often ends up pulling in cloud specific libraries, so that they can handle authentication.
Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com>
VinozzZ
approved these changes
Feb 2, 2023
bdegeeter
pushed a commit
to bdegeeter/porter
that referenced
this pull request
May 11, 2023
* Address go-restful CVE-2022-1996 * Upgrade go-restful to v3 which addresses CVE-2022-1996 * Upgrade containerd to v1.6.16 * Upgrade cnab-go to v1.25.0 * Upgrade docker to v23.0.0-rc.1 * Upgrade buildx to v0.10.2 which required some careful code changes to compile again Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> * Pin cnab-go to v0.25.0 Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> --------- Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com>
bdegeeter
pushed a commit
to bdegeeter/porter
that referenced
this pull request
May 16, 2023
author Brian DeGeeter <b.degeeter@f5.com> 1673381173 -0800 committer Brian DeGeeter <brian@degeeter.net> 1684277785 -0700 parent 8ff74f4 author Brian DeGeeter <b.degeeter@f5.com> 1673381173 -0800 committer Brian DeGeeter <brian@degeeter.net> 1684277652 -0700 parent 8ff74f4 author Brian DeGeeter <b.degeeter@f5.com> 1673381173 -0800 committer Brian DeGeeter <brian@degeeter.net> 1684277541 -0700 chore: basic structure for grpc api Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> chore: move make targets to mage Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> wip: buf scaffolding Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: Added simple test client/server chore: move grpc test under tests folder Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> chore: add basic grpc server test Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> chore: retire makefile Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> chore: collab on failing porter integration Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> Feat/add server to porter cmd (#2) * wip: Saving state * wip: Added per rpc connection * chore: Removed debug prints chore: Added server cli options Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: Fixed int viper conversion error added grpc context for porter connection feat: update proto file chore: Generated new go grpc and moved test over to using the porter connection in the grpc context chore: Added UT for grpc context package Signed-off-by: Steven Gettys <s.gettys@f5.com> fill out installation list grpc response use PorterTest for grpc integration tests chore: Updated grpc integration tests to inject installations into the porter test client Signed-off-by: Steven Gettys <s.gettys@f5.com> porter structs to grpc via json marshaling chore: convert store install to display for grpc integ test chore: Added UT for grpc context and installation packages Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: Consolidated duplicate test code for grpc installation service chore: Refactored to use a single portergrpc package' Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: Renamed grpc PorterBundleServer to PorterServer Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: Checked in proto change Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: MOved around grpc package some Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: refactor grpc integ test chore: remove porter-service cmd files chore: refactor for integ testing chore: add cred and param sets to installation proto intial run outputs grpc func refactor outputs proto to remove extra depth chore: add test intallation opts for data driven grpc integ testing chore: Testing out action (#3) * chore: Testing out action Signed-off-by: Steven Gettys <s.gettys@f5.com> * chore: Removed the DOCKER_BUILDKIT flag Signed-off-by: Steven Gettys <s.gettys@f5.com> * chore: Removed docker buildkit Signed-off-by: Steven Gettys <s.gettys@f5.com> * chore: Added default case Signed-off-by: Steven Gettys <s.gettys@f5.com> --------- Signed-off-by: Steven Gettys <s.gettys@f5.com> Bump github.com/moby/buildkit from 0.10.6 to 0.11.0 (getporter#2520) * Bump github.com/moby/buildkit from 0.10.6 to 0.11.0 Signed-off-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Yingrong Zhao <yingrong.zhao@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Yingrong Zhao <yingrong.zhao@gmail.com> Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.1 to 0.13.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.12.1...v0.13.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Address go-restful CVE-2022-1996 (getporter#2547) * Address go-restful CVE-2022-1996 * Upgrade go-restful to v3 which addresses CVE-2022-1996 * Upgrade containerd to v1.6.16 * Upgrade cnab-go to v1.25.0 * Upgrade docker to v23.0.0-rc.1 * Upgrade buildx to v0.10.2 which required some careful code changes to compile again Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> * Pin cnab-go to v0.25.0 Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> --------- Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/grpc-ecosystem/go-grpc-middleware from 1.3.0 to 1.4.0 Bumps [github.com/grpc-ecosystem/go-grpc-middleware](https://github.com/grpc-ecosystem/go-grpc-middleware) from 1.3.0 to 1.4.0. - [Release notes](https://github.com/grpc-ecosystem/go-grpc-middleware/releases) - [Commits](grpc-ecosystem/go-grpc-middleware@v1.3.0...v1.4.0) --- updated-dependencies: - dependency-name: github.com/grpc-ecosystem/go-grpc-middleware dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/spf13/afero from 1.9.4 to 1.9.5 Bumps [github.com/spf13/afero](https://github.com/spf13/afero) from 1.9.4 to 1.9.5. - [Release notes](https://github.com/spf13/afero/releases) - [Commits](spf13/afero@v1.9.4...v1.9.5) --- updated-dependencies: - dependency-name: github.com/spf13/afero dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/hashicorp/go-hclog from 1.4.0 to 1.5.0 Bumps [github.com/hashicorp/go-hclog](https://github.com/hashicorp/go-hclog) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/hashicorp/go-hclog/releases) - [Commits](hashicorp/go-hclog@v1.4.0...v1.5.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-hclog dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/google/go-containerregistry from 0.13.0 to 0.14.0 Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/containerd/containerd from 1.6.19 to 1.7.0 Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.6.19 to 1.7.0. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v1.6.19...v1.7.0) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Revert "Merge pull request getporter#2653 from getporter/dependabot/go_modules/github.com/google/go-containerregistry-0.14.0" This reverts commit 7ee355f, reversing changes made to 09297d6. Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> Bump go.mongodb.org/mongo-driver from 1.11.3 to 1.11.4 Bumps [go.mongodb.org/mongo-driver](https://github.com/mongodb/mongo-go-driver) from 1.11.3 to 1.11.4. - [Release notes](https://github.com/mongodb/mongo-go-driver/releases) - [Commits](mongodb/mongo-go-driver@v1.11.3...v1.11.4) --- updated-dependencies: - dependency-name: go.mongodb.org/mongo-driver dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> chore: basic structure for grpc api Signed-off-by: Brian DeGeeter <brian@degeeter.net> Signed-off-by: Steven Gettys <steven.gettys@gmail.com> Co-authored-by: Brian DeGeeter <brian@degeeter.net> Co-authored-by: Steven Gettys <steven.gettys@gmail.com> chore: fix tests after rebase Signed-off-by: Brian DeGeeter <brian@degeeter.net> chore: tidy up go.sum Signed-off-by: Brian DeGeeter <brian@degeeter.net> chore: remove wip file Signed-off-by: Brian DeGeeter <brian@degeeter.net>
bdegeeter
pushed a commit
to bdegeeter/porter
that referenced
this pull request
Jun 8, 2023
author Brian DeGeeter <b.degeeter@f5.com> 1673381173 -0800 committer Brian DeGeeter <brian@degeeter.net> 1684277785 -0700 parent 8ff74f4 author Brian DeGeeter <b.degeeter@f5.com> 1673381173 -0800 committer Brian DeGeeter <brian@degeeter.net> 1684277652 -0700 parent 8ff74f4 author Brian DeGeeter <b.degeeter@f5.com> 1673381173 -0800 committer Brian DeGeeter <brian@degeeter.net> 1684277541 -0700 chore: basic structure for grpc api Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> chore: move make targets to mage Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> wip: buf scaffolding Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: Added simple test client/server chore: move grpc test under tests folder Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> chore: add basic grpc server test Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> chore: retire makefile Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> chore: collab on failing porter integration Signed-off-by: Brian DeGeeter <b.degeeter@f5.com> Feat/add server to porter cmd (#2) * wip: Saving state * wip: Added per rpc connection * chore: Removed debug prints chore: Added server cli options Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: Fixed int viper conversion error added grpc context for porter connection feat: update proto file chore: Generated new go grpc and moved test over to using the porter connection in the grpc context chore: Added UT for grpc context package Signed-off-by: Steven Gettys <s.gettys@f5.com> fill out installation list grpc response use PorterTest for grpc integration tests chore: Updated grpc integration tests to inject installations into the porter test client Signed-off-by: Steven Gettys <s.gettys@f5.com> porter structs to grpc via json marshaling chore: convert store install to display for grpc integ test chore: Added UT for grpc context and installation packages Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: Consolidated duplicate test code for grpc installation service chore: Refactored to use a single portergrpc package' Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: Renamed grpc PorterBundleServer to PorterServer Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: Checked in proto change Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: MOved around grpc package some Signed-off-by: Steven Gettys <s.gettys@f5.com> chore: refactor grpc integ test chore: remove porter-service cmd files chore: refactor for integ testing chore: add cred and param sets to installation proto intial run outputs grpc func refactor outputs proto to remove extra depth chore: add test intallation opts for data driven grpc integ testing chore: Testing out action (#3) * chore: Testing out action Signed-off-by: Steven Gettys <s.gettys@f5.com> * chore: Removed the DOCKER_BUILDKIT flag Signed-off-by: Steven Gettys <s.gettys@f5.com> * chore: Removed docker buildkit Signed-off-by: Steven Gettys <s.gettys@f5.com> * chore: Added default case Signed-off-by: Steven Gettys <s.gettys@f5.com> --------- Signed-off-by: Steven Gettys <s.gettys@f5.com> Bump github.com/moby/buildkit from 0.10.6 to 0.11.0 (getporter#2520) * Bump github.com/moby/buildkit from 0.10.6 to 0.11.0 Signed-off-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Yingrong Zhao <yingrong.zhao@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Yingrong Zhao <yingrong.zhao@gmail.com> Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.1 to 0.13.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.12.1...v0.13.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Address go-restful CVE-2022-1996 (getporter#2547) * Address go-restful CVE-2022-1996 * Upgrade go-restful to v3 which addresses CVE-2022-1996 * Upgrade containerd to v1.6.16 * Upgrade cnab-go to v1.25.0 * Upgrade docker to v23.0.0-rc.1 * Upgrade buildx to v0.10.2 which required some careful code changes to compile again Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> * Pin cnab-go to v0.25.0 Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> --------- Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/grpc-ecosystem/go-grpc-middleware from 1.3.0 to 1.4.0 Bumps [github.com/grpc-ecosystem/go-grpc-middleware](https://github.com/grpc-ecosystem/go-grpc-middleware) from 1.3.0 to 1.4.0. - [Release notes](https://github.com/grpc-ecosystem/go-grpc-middleware/releases) - [Commits](grpc-ecosystem/go-grpc-middleware@v1.3.0...v1.4.0) --- updated-dependencies: - dependency-name: github.com/grpc-ecosystem/go-grpc-middleware dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/spf13/afero from 1.9.4 to 1.9.5 Bumps [github.com/spf13/afero](https://github.com/spf13/afero) from 1.9.4 to 1.9.5. - [Release notes](https://github.com/spf13/afero/releases) - [Commits](spf13/afero@v1.9.4...v1.9.5) --- updated-dependencies: - dependency-name: github.com/spf13/afero dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/hashicorp/go-hclog from 1.4.0 to 1.5.0 Bumps [github.com/hashicorp/go-hclog](https://github.com/hashicorp/go-hclog) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/hashicorp/go-hclog/releases) - [Commits](hashicorp/go-hclog@v1.4.0...v1.5.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-hclog dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/google/go-containerregistry from 0.13.0 to 0.14.0 Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Bump github.com/containerd/containerd from 1.6.19 to 1.7.0 Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.6.19 to 1.7.0. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v1.6.19...v1.7.0) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Revert "Merge pull request getporter#2653 from getporter/dependabot/go_modules/github.com/google/go-containerregistry-0.14.0" This reverts commit 7ee355f, reversing changes made to 09297d6. Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> Bump go.mongodb.org/mongo-driver from 1.11.3 to 1.11.4 Bumps [go.mongodb.org/mongo-driver](https://github.com/mongodb/mongo-go-driver) from 1.11.3 to 1.11.4. - [Release notes](https://github.com/mongodb/mongo-go-driver/releases) - [Commits](mongodb/mongo-go-driver@v1.11.3...v1.11.4) --- updated-dependencies: - dependency-name: go.mongodb.org/mongo-driver dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> chore: basic structure for grpc api Signed-off-by: Brian DeGeeter <brian@degeeter.net> Signed-off-by: Steven Gettys <steven.gettys@gmail.com> Co-authored-by: Brian DeGeeter <brian@degeeter.net> Co-authored-by: Steven Gettys <steven.gettys@gmail.com> chore: fix tests after rebase Signed-off-by: Brian DeGeeter <brian@degeeter.net> chore: tidy up go.sum Signed-off-by: Brian DeGeeter <brian@degeeter.net> chore: remove wip file Signed-off-by: Brian DeGeeter <brian@degeeter.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
cnabio/cnab-go#294 must be merged first, then I'll update our go.mod to reference the latest version of cnab-go