-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: CVE-2023-7104(github.com/mattn/go-sqlite3) #829
fix: CVE-2023-7104(github.com/mattn/go-sqlite3) #829
Conversation
Skipping CI for Draft Pull Request. |
after looking at the libraries to update, it seems that this: |
Updating to |
@@ -101,7 +101,9 @@ require ( | |||
|
|||
replace ( | |||
github.com/go-yaml/yaml => github.com/go-yaml/yaml v2.2.8+incompatible | |||
github.com/mattn/go-sqlite3 => github.com/mattn/go-sqlite3 v1.14.18 | |||
github.com/tektoncd/pipeline => github.com/tektoncd/pipeline v0.12.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to run go mod tidy
to update go.sum
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have run the go mod tidy
but the issue is that library is not present in our go.sum. Instead it is being used by one of the libraries we use and that is the reason why we see this 😅 .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since it is a dependency of another library, I guess we cannot do much unless they update it. So I though we can temporarily fix it using the replace
😅 . But if this is not the right way to do so, we should ignore the cve until there is an update from the other library's side. Please let me know what you think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I agree, but we still would have some updates in go.sum
..right? Given we are introducing additional packages
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to a go mod tidy
, and there is no update to go.sum. I have no idea why 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hum, when i used your go.mod from this PR , i have a lot cleaned up in go.sum
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried again :( no updates for me. Am I missing something while doing go mod tidy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AjayJagan You can try cleaning up the cache once
go clean -modcache
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done, still the same go.sum file 😅
@VaishnaviHire but we are already on v0.26.0 right? In the incubation branch itself? |
/retest-required |
50be272
to
2a0e292
Compare
f26fe70
to
de8074d
Compare
/retest |
/test opendatahub-operator-e2e |
looks like e2e fails, I will take a look |
/retest |
@VaishnaviHire , I have used |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: VaishnaviHire The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
dd26acf
to
96ada9c
Compare
New changes are detected. LGTM label has been removed. |
32cb14d
into
opendatahub-io:incubation
This PR is intended to fix CVE-2023-7104.
Description
It fixes the following CVE
How Has This Been Tested?
Tried to run the operator and everything works well.
Merge criteria: