Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixed issue where vulnerabilities were only getting logged when a fix… #248

Merged
merged 2 commits into from Aug 7, 2020
Merged

fixed issue where vulnerabilities were only getting logged when a fix… #248

merged 2 commits into from Aug 7, 2020

Conversation

yodahekinsew
Copy link
Contributor

@yodahekinsew yodahekinsew commented Jul 30, 2020
edited

Fixing the issue where vulnerabilities were only getting logged when a fixable vulnerability was found. The current behavior after this fix is that the vulnerability check will fail if and only if a severe and fixable vulnerability is found; but the vulnerability check will always log all of the vulnerabilities it finds. Additionally, if a fix is not available for an issue, we now clear out some of the fields that would incorrectly imply to the user that there was a fix when logged.

@k8s-ci-robot k8s-ci-robot added sig/release Categorizes an issue or PR as relevant to SIG Release. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 30, 2020
@yodahekinsew
Copy link
Contributor Author

/cc @listx @prathak07

@k8s-ci-robot
Copy link
Contributor

@yodahekinsew: GitHub didn't allow me to request PR reviews from the following users: prathak07.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @listx @prathak07

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 30, 2020
listx
listx reviewed Jul 31, 2020
View reviewed changes
cip.go Outdated
@@ -286,6 +286,10 @@ func main() {

if *severityThresholdPtr >= 0 {
klog.Info("********** START (VULN CHECK) **********")
klog.Info("DISCLAIMER: Vulnerabilities are found as issues with " +
"package binaries within image dependencies, not necessarily " +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/dependencies/layers

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

cip.go Outdated
@@ -286,6 +286,10 @@ func main() {

if *severityThresholdPtr >= 0 {
klog.Info("********** START (VULN CHECK) **********")
klog.Info("DISCLAIMER: Vulnerabilities are found as issues with " +
"package binaries within image dependencies, not necessarily " +
"with the image dependencies themselves. So a \"fixable\" " +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"For example, even though a fixed version of the binary is available, it does not necessarily mean that a new version of the image layer is available."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@yodahekinsew
fixed issue where vulns were only getting logged when a severe vuln w…
70c0096 
…as found; also improved logging of vulns to include occurrence name and disclaimer that these vulns are only related to package binary issues
@yodahekinsew
Copy link
Contributor Author

/test pull-cip-lint

@listx
Copy link
Contributor

listx commented Aug 3, 2020

/lgtm
/approve

/hold

Remove hold when ready.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 3, 2020
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 3, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: listx, yodahekinsew

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 3, 2020
@yodahekinsew yodahekinsew removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 7, 2020
@k8s-ci-robot k8s-ci-robot merged commit c35b3a0 into kubernetes-sigs:master Aug 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@listx listx listx left review comments

@tpepper tpepper Awaiting requested review from tpepper

Assignees

@listx listx

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/release Categorizes an issue or PR as relevant to SIG Release. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@yodahekinsew @k8s-ci-robot @listx