Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump user-api to v0.34.2 in prod #2314

Closed
wants to merge 1 commit into from
Closed

Bump user-api to v0.34.2 in prod #2314

wants to merge 1 commit into from

Conversation

fridex
Copy link
Contributor

@fridex fridex commented Feb 3, 2022

Related Issues and Dependencies

Related: thoth-station/storages#2578

@sesheta
Copy link
Member

sesheta commented Feb 3, 2022

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from fridex after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fridex
Copy link
Contributor Author

fridex commented Feb 3, 2022

/hold

... until available https://quay.io/repository/thoth-station/user-api?tab=tags

@sesheta sesheta added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 3, 2022
@fridex fridex mentioned this pull request Feb 3, 2022
Merged
@goern
Copy link
Member

goern commented Feb 4, 2022
edited

interesting... user-api is based on quay.io/thoth-station/s2i-thoth-ubi8-py38:v0.32.0 srcRef that container images has 0 vulnerabilities (see quay), the user-api container image has 7 High-level vulnerabilities all trace back to RHSA-2021:3816.

  1. how did that end up in user-api container image?
  2. is a build log of https://quay.io/repository/thoth-station/user-api/manifest/sha256:da4deb819740b293aa8f6c671b7004289ac3ffaca7f7fc4e14a2d0fbaa40626d available?
  3. why is https://quay.io/repository/thoth-station/user-api/manifest/sha256:da4deb819740b293aa8f6c671b7004289ac3ffaca7f7fc4e14a2d0fbaa40626d build from v0.32.0? see label io.openshift.s2i.build.image
  4. can we feed back quay image scans to a pull request?

@goern
Copy link
Member

goern commented Feb 4, 2022

/assign @fridex
/assign @mayaCostantini
/assign @harshad16
/sig devsecops
/sig security

@sesheta
Copy link
Member

sesheta commented Feb 4, 2022

@goern: The label(s) sig/security cannot be applied, because the repository doesn't have them.

In response to this:

/assign @fridex
/assign @mayaCostantini
/assign @harshad16
/sig devsecops
/sig security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sesheta sesheta added the sig/devsecops Categorizes an issue or PR as relevant to SIG DevSecOps. label Feb 4, 2022
@goern
Copy link
Member

goern commented Feb 4, 2022

maybe this is a thing? https://artifacthub.io/packages/tekton-task/tekton-catalog-tasks/trivy-scanner I didn't find any similar task for clair/quay.io

@goern
Copy link
Member

goern commented Feb 4, 2022

user-api is based on quay.io/thoth-station/s2i-thoth-ubi8-py38:v0.32.0 srcRef that container images has 0 vulnerabilities

my fault, v0.32.0 has 7 vuls on quay, v0.32.2 has 0

This was referenced Feb 4, 2022
Merged
Closed
@codificat
Copy link
Member

/close
in favour of #2316

@sesheta sesheta closed this Feb 4, 2022
@sesheta
Copy link
Member

sesheta commented Feb 4, 2022

@codificat: Closed this PR.

In response to this:

/close
in favour of #2316

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@goern goern Awaiting requested review from goern

@pacospace pacospace Awaiting requested review from pacospace

Assignees

@fridex fridex

@harshad16 harshad16

@mayaCostantini mayaCostantini

Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. sig/devsecops Categorizes an issue or PR as relevant to SIG DevSecOps. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@fridex @sesheta @goern @codificat @harshad16 @mayaCostantini