Skip to content

Commit

Permalink
CVE-2023-49568 and CVE-2023-49569 both detail vulnerabilities in vers…
Browse files Browse the repository at this point in the history 
…ions of https://github.com/go-git/go-git less than version v5.11 Presently assisted-installer depends on this library due to the following dependency chain. (#655)

github.com/containers/image/v5@v5.20.0 depends on github.com/sylabs/sif/v2@v2.3.2 github.com/sylabs/sif/v2@v2.3.2 depends on github.com/sylabs/release-tools@v0.1.0 github.com/sylabs/release-tools@v0.1.0 depends on github.com/go-git/go-git/v5@v5.4.2

From v2.5.0 github.com/sylabs/sif no longer depends on github.com/sylabs/release-tools@v0.1.0

The solution in this PR is as follows:

github.com/containers/image/v5@v5.21.1 is the closest revision we can upgrade to that uses github.com/sylabs/sif/v2 > v2.5.0 thus removing the go-git dependency altogether and resolving both CVEs.
  • Loading branch information
@paul-maidment
paul-maidment committed Jan 31, 2024
1 parent 3b973e1 commit 1616af3
Show file tree
Hide file tree
Showing 65 changed files with 11,527 additions and 464 deletions.
8 changes: 4 additions & 4 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ require (
github.com/kelseyhightower/envconfig v1.4.0
github.com/onsi/ginkgo v1.16.5
github.com/onsi/gomega v1.31.1
github.com/openshift/assisted-service v1.0.10-0.20240117211552-a75c684ca922
github.com/openshift/assisted-service v1.0.10-0.20240129190431-91b1deff72d8
github.com/openshift/assisted-service/client v0.0.0
github.com/openshift/assisted-service/models v0.0.0
github.com/openshift/baremetal-runtimecfg v0.0.0-20220211165258-fe92b9507bec
Expand Down Expand Up @@ -106,7 +106,7 @@ require (
github.com/jackc/pgtype v1.14.0 // indirect
github.com/jackc/pgx/v4 v4.16.0 // indirect
github.com/jinzhu/inflection v1.0.0 // indirect
github.com/jinzhu/now v1.1.4 // indirect
github.com/jinzhu/now v1.1.5 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
Expand Down Expand Up @@ -152,7 +152,7 @@ require (
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
gorm.io/driver/postgres v1.3.5 // indirect
gorm.io/gorm v1.24.5 // indirect
gorm.io/gorm v1.25.5 // indirect
howett.net/plist v1.0.0 // indirect
k8s.io/api v0.28.4 // indirect
k8s.io/apimachinery v0.28.4 // indirect
Expand All @@ -162,7 +162,7 @@ require (
k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)

require (
Expand Down
16 changes: 9 additions & 7 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -578,6 +578,7 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
Expand Down Expand Up @@ -768,8 +769,9 @@ github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
github.com/jinzhu/now v1.1.4 h1:tHnRBy1i5F2Dh8BAFxqFzxKqqvezXrL2OW1TnX+Mlas=
github.com/jinzhu/now v1.1.4/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
Expand Down Expand Up @@ -994,8 +996,8 @@ github.com/openshift-online/ocm-sdk-go v0.1.205 h1:DhvfTf55jpQsTFpI283/z3b0Tab8x
github.com/openshift-online/ocm-sdk-go v0.1.205/go.mod h1:iOhkt/6nFp9v7hasdmGbYlR/YKeUoaZKq5ZBrtyKwKg=
github.com/openshift/api v0.0.0-20231031181504-3be12e93388f h1:j7QYl057TBD/lxWAGCr4IrbdG7IMg2U60DFK+BKt3VI=
github.com/openshift/api v0.0.0-20231031181504-3be12e93388f/go.mod h1:yimSGmjsI+XF1mr+AKBs2//fSXIOhhetHGbMlBEfXbs=
github.com/openshift/assisted-service v1.0.10-0.20240117211552-a75c684ca922 h1:t3bxuvad+eNKtqoXaaYRnnE/awfdESFqvhS+qwysK7Q=
github.com/openshift/assisted-service v1.0.10-0.20240117211552-a75c684ca922/go.mod h1:mm2+MpOPJRq49PQnyDh1qDwVY35HNo3fmCl5U/Ife1I=
github.com/openshift/assisted-service v1.0.10-0.20240129190431-91b1deff72d8 h1:VnxGAW5YHb/maN/I9sdO5TibIYajQH25XYSFuccGG+8=
github.com/openshift/assisted-service v1.0.10-0.20240129190431-91b1deff72d8/go.mod h1:S5LIQRP336gDhICKg4G9n8gpQO3PwAX6a+spOgdk1nk=
github.com/openshift/assisted-service/api v0.0.0-20240117211552-a75c684ca922 h1:vajzotkigx8X/0fdmh5dw8Ssq6d5UOa3VtUGwNGrJ68=
github.com/openshift/assisted-service/api v0.0.0-20240117211552-a75c684ca922/go.mod h1:itEsGPQb6wEDwN9xuwHUe2z/2GYbXCwK31pmaBaE4xY=
github.com/openshift/assisted-service/client v0.0.0-20240117211552-a75c684ca922 h1:v8akqCJFt8GQy0y1ORWo8LbuP7rS4c/TGLmA2NEdPlM=
Expand Down Expand Up @@ -1889,8 +1891,8 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gorm.io/driver/postgres v1.3.5 h1:oVLmefGqBTlgeEVG6LKnH6krOlo4TZ3Q/jIK21KUMlw=
gorm.io/driver/postgres v1.3.5/go.mod h1:EGCWefLFQSVFrHGy4J8EtiHCWX5Q8t0yz2Jt9aKkGzU=
gorm.io/gorm v1.23.4/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk=
gorm.io/gorm v1.24.5 h1:g6OPREKqqlWq4kh/3MCQbZKImeB9e6Xgc4zD+JgNZGE=
gorm.io/gorm v1.24.5/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
gorm.io/gorm v1.25.5 h1:zR9lOiiYf09VNh5Q1gphfyia1JpiClIWG9hQaxB/mls=
gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
Expand Down Expand Up @@ -1987,6 +1989,6 @@ sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kF
sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU=
10 changes: 7 additions & 3 deletions vendor/github.com/jinzhu/now/README.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 5 additions & 4 deletions vendor/github.com/jinzhu/now/main.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

40 changes: 34 additions & 6 deletions vendor/github.com/jinzhu/now/now.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 15 additions & 5 deletions vendor/github.com/openshift/assisted-service/pkg/validations/validations.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 8 additions & 20 deletions vendor/github.com/openshift/assisted-service/restapi/embedded_spec.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 vendor/gorm.io/gorm/License → vendor/gorm.io/gorm/LICENSE
View file
File renamed without changes.
4 changes: 1 addition & 3 deletions vendor/gorm.io/gorm/README.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 1616af3

Please sign in to comment.