Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): switch to github.com/anchore/archiver/v3 #1544

Merged
merged 1 commit into from
Jun 17, 2024
Merged

fix(deps): switch to github.com/anchore/archiver/v3 #1544

merged 1 commit into from
Jun 17, 2024

Conversation

RTann
Copy link
Collaborator

@RTann RTann commented Jun 13, 2024
edited
Loading

github.com/mholt/archiver/v3 v3.51.1 is affected by CVE-2024-0406. There is a PR in-progress to resolve this, but it has been rather inactive lately.

We are not affected by this vulnerability, as it affects a codepath which we do not use.

I previously decided to remove the #1472 dependency by copying functions over to this repository. However, I ran into issues with CI I have not really been wanting to resolve in that PR, and I believe this approach is safer.

In this approach, we replace github.com/mholt/archiver/v3 v3.51.1 with github.com/anchore/archiver/v3 v3.51.2. See mholt/archiver@v3.5.1...anchore:archiver:v3.5.2 for the exact details. It is clear the only difference is the contents of the previously mentioned PR, which does not affect our codepath.

Note 1: This uses the replace directive instead of actually completely replacing the dependency due to annoying circular dependency things with the stackrox/stackrox repo.

Note 2: This will not resolve the vulnerability match in the stackrox/stackrox repo, as replace is only used when the go.mod in this repo is the main module. So, we will have to replace in the stackrox/stackrox repo, too

This was referenced Jun 13, 2024
Merged
Merged
@dcaravel dcaravel added the generate-dumps-on-pr Generates the image based on dumps from the PR label Jun 14, 2024
dcaravel
dcaravel reviewed Jun 14, 2024
View reviewed changes
Copy link
Contributor

@dcaravel dcaravel left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added label generate-dumps-on-pr to try and generate some dumps to ensure works. May need an empty commit to trigger?

@RTann RTann force-pushed the ross-anchore-archiver-3.5.2 branch from 393fb6b to 25552d9 Compare June 14, 2024 21:45
@RTann
Copy link
Collaborator Author

RTann commented Jun 17, 2024

/retest

@RTann RTann merged commit 04eafe6 into master Jun 17, 2024
29 checks passed
@RTann RTann deleted the ross-anchore-archiver-3.5.2 branch June 17, 2024 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcaravel dcaravel dcaravel approved these changes

@jvdm jvdm Awaiting requested review from jvdm

@BradLugo BradLugo Awaiting requested review from BradLugo

@daynewlee daynewlee Awaiting requested review from daynewlee

Assignees
No one assigned
Labels
generate-dumps-on-pr Generates the image based on dumps from the PR
Projects
None yet
Milestone
No milestone
2 participants
@RTann @dcaravel