Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump golang.org/x/net to fix CVE-2022-41717 #3048

Merged
merged 1 commit into from
Jan 16, 2023
Merged

bump golang.org/x/net to fix CVE-2022-41717 #3048

merged 1 commit into from
Jan 16, 2023

Conversation

fengshunli
Copy link
Member

@fengshunli fengshunli commented Jan 13, 2023
edited by RainbowMango

Signed-off-by: fsl 1171313930@qq.com

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

golang.org/x/net updates to v0.6.0 to fix CVE-2022-41717

@karmada-bot karmada-bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jan 13, 2023
@fengshunli
bump golang.org/x/net to fix CVE-2022-41717
7776f96 
Signed-off-by: fsl <1171313930@qq.com>
@codecov-commenter
Copy link

Codecov Report

Merging #3048 (7776f96) into master (aa5868a) will increase coverage by 0.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #3048      +/-   ##
==========================================
+ Coverage   38.96%   38.98%   +0.01%     
==========================================
  Files         207      207              
  Lines       19365    19365              
==========================================
+ Hits         7546     7549       +3     
+ Misses      11362    11360       -2     
+ Partials      457      456       -1
Flag Coverage Δ
unittests 38.98% <ø> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/search/proxy/store/store.go 68.42% <0.00%> (+3.15%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@fengshunli fengshunli mentioned this pull request Jan 13, 2023
Closed
8 tasks
@chaunceyjiang
Copy link
Member

chaunceyjiang commented Jan 13, 2023
edited

golang.org/x/net is too old and vulnerable to GO-2022-1144

Refer to #2718

@fengshunli
Copy link
Member Author

golang.org/x/net is too old and vulnerable to GO-2022-1144

Refer to #2718

fixed

@RainbowMango
Copy link
Member

Is there any evidence showing that Karmada is affected by the CVE?

@fengshunli
Copy link
Member Author

Is there any evidence showing that Karmada is affected by the CVE?

There are vulnerabilities in images built based on source code

@RainbowMango
Copy link
Member

There are vulnerabilities in images built based on source code

Could you please show the evidence in more detail?

If we are fixing a security issue, we probably need to release a warning as per vulnerability-handling-process

@fengshunli
Copy link
Member Author

There are vulnerabilities in images built based on source code

Could you please show the evidence in more detail?

If we are fixing a security issue, we probably need to release a warning as per vulnerability-handling-process

before repair
image

after repair
image

@RainbowMango
Copy link
Member

Interesting! Which tools you are using?

@fengshunli
Copy link
Member Author

Interesting! Which tools you are using?

https://github.com/aquasecurity/trivy

@RainbowMango RainbowMango added this to the v1.5 milestone Jan 13, 2023
@RainbowMango
Copy link
Member

Thanks, it's very helpful and reminds us to setup the image scanning process.
/assign

RainbowMango
RainbowMango approved these changes Jan 16, 2023
View reviewed changes
Copy link
Member

@RainbowMango RainbowMango left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@karmada-bot karmada-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 16, 2023
@karmada-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot karmada-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 16, 2023
@karmada-bot karmada-bot merged commit 6647508 into karmada-io:master Jan 16, 2023
@RainbowMango
Copy link
Member

By the way, I added an agenda to this week's meeting to talk about how to integrate image scans into CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RainbowMango RainbowMango RainbowMango approved these changes

@Garrybest Garrybest Awaiting requested review from Garrybest

@XiShanYongYe-Chang XiShanYongYe-Chang Awaiting requested review from XiShanYongYe-Chang

Assignees

@RainbowMango RainbowMango

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.5
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@fengshunli @codecov-commenter @chaunceyjiang @RainbowMango @karmada-bot