[1.1] chore: silencing security false positives caused by golang.org/x/net #4244
Conversation
|
Thanks for your contribution! The first cve issue seems not related, the second one is about |
@lifubang It seems true. This report was output by me using trivy and may not be accurate. |
kolyshkin
changed the title
kycheng
changed the title
There was a problem hiding this comment.
I see runc main is using the versions you are updating to here, but I think we should update them to the latest, specially if we want to silence CVEs as 0.22 is vulnerable to some CVEs.
I'd update to the latest here and do the same in runc main too.
Also @kycheng can you comment how do you see a warning? Which tool are you using that throws a warning for this?
With the recent supply chain attacks, I've verified locally that running "make vendor" with the changes on go.mod produces the exact same things as this PR. It's not a matter of not trusting you, but just to be on the safe side of things :)
golang.org/x/net:v0.8.0 will introduce some security false positives: - https://avd.aquasec.com/nvd/cve-2023-4448 - https://avd.aquasec.com/nvd/cve-2023-3978 - https://avd.aquasec.com/nvd/cve-2023-39325 Signed-off-by: kychen <kychen@alauda.io>
I'm using buildkit, the latest version of runc referenced by buildkit, and this issue was exposed when we scanned the buildkit(use
In addition, the content of the vendor of this PR is indeed the same as that of make vendor. Sorry, I don't know what the process is. Do I need to remove the vendor changes and just update go.mod? |
|
@kycheng Thanks!
No, as it is is perfect. I was just letting maintainers know that there were indeed no hidden changes, as verifying that is needed to prevent some supply chain attacks. Nothing for you to change, just a sanity check :-) |
|
The failure in the unit test seems to have nothing to do with my update. I spent some time understanding criu. Is the failure of the test related to the functions supported by the kernel?
I'm not quite sure how I can fix this unit test. @rata |
|
You can just do |
|
@rata @AkihiroSuda Are there any other issues with this PR that need to be fixed? Can you help me review it? |
kolyshkin
added
backport/1.1-pr
v1.1.13 -- "There is no certainty in the world. This is the only certainty I have." This is the thirteenth patch release in the 1.1.z release branch of runc. It brings in Go 1.12.x compatibility and fixes a few issues, including an occasional wrong nofile rlimit in runc exec, and a race between runc list and runc delete. NOTE that if using Go 1.22.x to build runc, make sure to use 1.22.4 or a later version. For more details, see issue opencontainers#4233. * Support go 1.22.4+. (opencontainers#4313) * runc list: fix race with runc delete. (opencontainers#4231) * Fix set nofile rlimit error. (opencontainers#4277, opencontainers#4299) * libct/cg/fs: fix setting rt_period vs rt_runtime. (opencontainers#4284) * Fix a debug msg for user ns in nsexec. (opencontainers#4315) * script/*: fix gpg usage wrt keyboxd. (opencontainers#4316) * CI fixes and misc backports. (opencontainers#4241) * Fix codespell warnings. (opencontainers#4300) * Silence security false positives from golang/net. (opencontainers#4244) * libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (opencontainers#4257) * allow overriding VERSION value in Makefile. (opencontainers#4270) * Vagrantfile.fedora: bump Fedora to 39. (opencontainers#4261) * ci/cirrus: rm centos stream 8. (opencontainers#4305, opencontainers#4308) Thanks to all of the contributors who made this release possible: * Akhil Mohan <akhilerm@gmail.com> * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * Aleksa Sarai <cyphar@cyphar.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Sohan Kunkerkar <sohank2602@gmail.com> * TTFISH <jiongchiyu@gmail.com> * kychen <kychen@alauda.io> * lifubang <lifubang@acmcoder.com> * ls-ggg <335814617@qq.com> Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmZrFGYACgkQF95ey3Wh # EA7DPwf9HVwO0EO3s7OuJPBCmZBp92L6AMDBmkpnE14Pi1c4DVcWtlrBna2CNnUJ # 4Hu8rgEtT80Y8L3GBf96Wo3C1DHR6lG6dyu6FjHozWu97WfrTtw92I/254dQZnsr # i7m+5C6Tluewr9pH6ageRI0rRYt4QPpyRihMkiZQHl44Z5ogRGJvCCkjk9nIDlxi # ok2U5aPIw4NWPwnMg3wC6CmcviaM81kyuWh2Twc1OPwRilCPQXWblcUgqujg5tOr # C3Z6AwiIedpMt6Nr0jdWZh9Rh0ffuOXBEiUO/K8vYqE/eDvqJd42c8ALi1HOONoU # ZwrNWNU3o2pIQ4qz0Fs4vauK4wSs1A== # =IFN9 # -----END PGP SIGNATURE----- # gpg: Signature made Thu Jun 13 08:46:46 2024 PDT # gpg: using RSA key C2428CD75720FACDCF76B6EA17DE5ECB75A1100E # gpg: Can't check signature: No public key # Conflicts: # CHANGELOG.md # VERSION # go.mod # go.sum # vendor/golang.org/x/sys/unix/mmap_nomremap.go # vendor/golang.org/x/sys/windows/syscall_windows.go # vendor/modules.txt
v1.1.13 -- "There is no certainty in the world. This is the only certainty I have." This is the thirteenth patch release in the 1.1.z release branch of runc. It brings in Go 1.12.x compatibility and fixes a few issues, including an occasional wrong nofile rlimit in runc exec, and a race between runc list and runc delete. NOTE that if using Go 1.22.x to build runc, make sure to use 1.22.4 or a later version. For more details, see issue opencontainers#4233. * Support go 1.22.4+. (opencontainers#4313) * runc list: fix race with runc delete. (opencontainers#4231) * Fix set nofile rlimit error. (opencontainers#4277, opencontainers#4299) * libct/cg/fs: fix setting rt_period vs rt_runtime. (opencontainers#4284) * Fix a debug msg for user ns in nsexec. (opencontainers#4315) * script/*: fix gpg usage wrt keyboxd. (opencontainers#4316) * CI fixes and misc backports. (opencontainers#4241) * Fix codespell warnings. (opencontainers#4300) * Silence security false positives from golang/net. (opencontainers#4244) * libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (opencontainers#4257) * allow overriding VERSION value in Makefile. (opencontainers#4270) * Vagrantfile.fedora: bump Fedora to 39. (opencontainers#4261) * ci/cirrus: rm centos stream 8. (opencontainers#4305, opencontainers#4308) Thanks to all of the contributors who made this release possible: * Akhil Mohan <akhilerm@gmail.com> * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * Aleksa Sarai <cyphar@cyphar.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Sohan Kunkerkar <sohank2602@gmail.com> * TTFISH <jiongchiyu@gmail.com> * kychen <kychen@alauda.io> * lifubang <lifubang@acmcoder.com> * ls-ggg <335814617@qq.com> Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmZrFGYACgkQF95ey3Wh # EA7DPwf9HVwO0EO3s7OuJPBCmZBp92L6AMDBmkpnE14Pi1c4DVcWtlrBna2CNnUJ # 4Hu8rgEtT80Y8L3GBf96Wo3C1DHR6lG6dyu6FjHozWu97WfrTtw92I/254dQZnsr # i7m+5C6Tluewr9pH6ageRI0rRYt4QPpyRihMkiZQHl44Z5ogRGJvCCkjk9nIDlxi # ok2U5aPIw4NWPwnMg3wC6CmcviaM81kyuWh2Twc1OPwRilCPQXWblcUgqujg5tOr # C3Z6AwiIedpMt6Nr0jdWZh9Rh0ffuOXBEiUO/K8vYqE/eDvqJd42c8ALi1HOONoU # ZwrNWNU3o2pIQ4qz0Fs4vauK4wSs1A== # =IFN9 # -----END PGP SIGNATURE----- # gpg: Signature made Thu Jun 13 08:46:46 2024 PDT # gpg: using RSA key C2428CD75720FACDCF76B6EA17DE5ECB75A1100E # gpg: Can't check signature: No public key
v1.1.13 -- "There is no certainty in the world. This is the only certainty I have." This is the thirteenth patch release in the 1.1.z release branch of runc. It brings in Go 1.12.x compatibility and fixes a few issues, including an occasional wrong nofile rlimit in runc exec, and a race between runc list and runc delete. NOTE that if using Go 1.22.x to build runc, make sure to use 1.22.4 or a later version. For more details, see issue opencontainers#4233. * Support go 1.22.4+. (opencontainers#4313) * runc list: fix race with runc delete. (opencontainers#4231) * Fix set nofile rlimit error. (opencontainers#4277, opencontainers#4299) * libct/cg/fs: fix setting rt_period vs rt_runtime. (opencontainers#4284) * Fix a debug msg for user ns in nsexec. (opencontainers#4315) * script/*: fix gpg usage wrt keyboxd. (opencontainers#4316) * CI fixes and misc backports. (opencontainers#4241) * Fix codespell warnings. (opencontainers#4300) * Silence security false positives from golang/net. (opencontainers#4244) * libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (opencontainers#4257) * allow overriding VERSION value in Makefile. (opencontainers#4270) * Vagrantfile.fedora: bump Fedora to 39. (opencontainers#4261) * ci/cirrus: rm centos stream 8. (opencontainers#4305, opencontainers#4308) Thanks to all of the contributors who made this release possible: * Akhil Mohan <akhilerm@gmail.com> * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * Aleksa Sarai <cyphar@cyphar.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Sohan Kunkerkar <sohank2602@gmail.com> * TTFISH <jiongchiyu@gmail.com> * kychen <kychen@alauda.io> * lifubang <lifubang@acmcoder.com> * ls-ggg <335814617@qq.com> Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmZrFGYACgkQF95ey3Wh # EA7DPwf9HVwO0EO3s7OuJPBCmZBp92L6AMDBmkpnE14Pi1c4DVcWtlrBna2CNnUJ # 4Hu8rgEtT80Y8L3GBf96Wo3C1DHR6lG6dyu6FjHozWu97WfrTtw92I/254dQZnsr # i7m+5C6Tluewr9pH6ageRI0rRYt4QPpyRihMkiZQHl44Z5ogRGJvCCkjk9nIDlxi # ok2U5aPIw4NWPwnMg3wC6CmcviaM81kyuWh2Twc1OPwRilCPQXWblcUgqujg5tOr # C3Z6AwiIedpMt6Nr0jdWZh9Rh0ffuOXBEiUO/K8vYqE/eDvqJd42c8ALi1HOONoU # ZwrNWNU3o2pIQ4qz0Fs4vauK4wSs1A== # =IFN9 # -----END PGP SIGNATURE----- # gpg: Signature made Thu Jun 13 08:46:46 2024 PDT # gpg: using RSA key C2428CD75720FACDCF76B6EA17DE5ECB75A1100E # gpg: Can't check signature: No public key
golang.org/x/net:v0.8.0 has some security vulnerabilities: