Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NO-ISSUE: Update docker pkg to fix CVE-2024-41110 and CVE-2023-2253 #7198

Merged
merged 1 commit into from
Jan 22, 2025
Merged

NO-ISSUE: Update docker pkg to fix CVE-2024-41110 and CVE-2023-2253 #7198

merged 1 commit into from
Jan 22, 2025

Conversation

pastequo
Copy link
Contributor

@pastequo pastequo commented Jan 17, 2025
edited
Loading

Konflux reported CVEs. Updating pkg to fix:

- assisted-service:
	- github.com/docker/docker to 25.0.6
	- golang.org/x/crypto to 0.31.0
	- github.com/docker/distribution to 2.8.2-beta.1
	- golang.org/x/net to 0.33.0

cc @giladravid16

List all the issues related to this PR

  • New Feature
  • Enhancement
  • Bug fix
  • Tests
  • Documentation
  • CI/CD

What environments does this code impact?

  • Automation (CI, tools, etc)
  • Cloud
  • Operator Managed Deployments
  • None

How was this code tested?

  • assisted-test-infra environment
  • dev-scripts environment
  • Reviewer's test appreciated
  • Waiting for CI to do a full test run
  • Manual (Elaborate on how it was tested)
  • No tests needed

Checklist

  • Title and description added to both, commit and PR.
  • Relevant issues have been associated (see CONTRIBUTING guide)
  • This change does not require a documentation update (docstring, docs, README, etc)
  • Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

  • Are the title and description (in both PR and commit) meaningful and clear?
  • Is there a bug required (and linked) for this change?
  • Should this PR be backported?

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 17, 2025
@openshift-ci-robot
Copy link

@pastequo: This pull request explicitly references no jira issue.

In response to this:

Konflux reported CVEs. Updating pkg to fix those

- assisted-service:
  - github.com/docker/docker to 25.0.6
  - golang.org/x/crypto to 0.31.0
  - github.com/docker/distribution to 2.8.2-beta.1
  - golang.org/x/net to 0.33.0

cc @giladravid16

List all the issues related to this PR

  • New Feature
  • Enhancement
  • Bug fix
  • Tests
  • Documentation
  • CI/CD

What environments does this code impact?

  • Automation (CI, tools, etc)
  • Cloud
  • Operator Managed Deployments
  • None

How was this code tested?

  • assisted-test-infra environment
  • dev-scripts environment
  • Reviewer's test appreciated
  • Waiting for CI to do a full test run
  • Manual (Elaborate on how it was tested)
  • No tests needed

Checklist

  • Title and description added to both, commit and PR.
  • Relevant issues have been associated (see CONTRIBUTING guide)
  • This change does not require a documentation update (docstring, docs, README, etc)
  • Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

  • Are the title and description (in both PR and commit) meaningful and clear?
  • Is there a bug required (and linked) for this change?
  • Should this PR be backported?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jan 17, 2025
@openshift-ci openshift-ci bot added the api-review Categorizes an issue or PR as actively needing an API review. label Jan 17, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 17, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pastequo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 17, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 17, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.44%. Comparing base (f913284) to head (3ec6ae1).
Report is 3 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #7198      +/-   ##
==========================================
+ Coverage   67.89%   68.44%   +0.54%     
==========================================
  Files         298      298              
  Lines       40652    41449     +797     
==========================================
+ Hits        27599    28368     +769     
+ Misses      10584    10579       -5     
- Partials     2469     2502      +33

see 9 files with indirect coverage changes

@giladravid16
Copy link
Contributor

The clair-scan task in konflux still shows critical and high CVEs

@giladravid16
Copy link
Contributor

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 19, 2025
@paul-maidment
Copy link
Contributor

Could we get an enumeration of what CVE's are being fixed here?

@pastequo
Copy link
Contributor Author

pastequo commented Jan 20, 2025
edited
Loading

@paul-maidment Clair scan shows (not including the mediums)

			{
				"msg": "Found packages with critical vulnerabilities. Consider updating to a newer version of those packages, they may no longer be affected by the reported CVEs.",
				"metadata": {
					"details": {
						"description": "Vulnerabilities found: github.com/docker/docker-v25.0.3+incompatible (GHSA-v23v-6jw2-98fq), golang.org/x/crypto-v0.21.0 (GHSA-v778-237x-gjrc), github.com/go-git/go-git/v5-v5.11.0 (GHSA-v725-9546-7q7m)",
						"name": "clair_critical_vulnerabilities",
						"url": "https://access.redhat.com/articles/red_hat_vulnerability_tutorial"
					},
					"vulnerabilities_number": 3
				}
			},
			{
				"msg": "Found packages with high vulnerabilities. Consider updating to a newer version of those packages, they may no longer be affected by the reported CVEs.",
				"metadata": {
					"details": {
						"description": "Vulnerabilities found: golang.org/x/net-v0.23.0 (GHSA-w32m-9786-jp63), github.com/go-git/go-git/v5-v5.11.0 (GHSA-r9px-m959-cxf4)",
						"name": "clair_high_vulnerabilities",
						"url": "https://access.redhat.com/articles/red_hat_vulnerability_tutorial"
					},
					"vulnerabilities_number": 2
				}
			},

@pastequo
Copy link
Contributor Author

I think the problem comes from the multiple binary we install

oc is using the problematic version of go-git

@pastequo
Copy link
Contributor Author

openshift/oc#1960

@giladravid16
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 20, 2025
@pastequo
Copy link
Contributor Author

/retest

@pastequo pastequo changed the title NO-ISSUE: Update docker pkg to fix CVE NO-ISSUE: Update docker pkg to fix CVE-2024-41110 Jan 21, 2025
@giladravid16
Copy link
Contributor

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 21, 2025
@paul-maidment
Copy link
Contributor

I think the problem comes from the multiple binary we install

oc is using the problematic version of go-git

In which case, let's not forget about the downstream images.
You might want to check those in the downstream repo after resolving this PR.

@pastequo
Copy link
Contributor Author

/retest

@pastequo pastequo changed the title NO-ISSUE: Update docker pkg to fix CVE-2024-41110 NO-ISSUE: Update docker pkg to fix CVE-2024-41110 and CVE-2023-2253 Jan 21, 2025
@pastequo pastequo force-pushed the fix/update-pkg-for-cves branch from b43fed7 to c274893 Compare January 21, 2025 13:33
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jan 21, 2025
@pastequo pastequo force-pushed the fix/update-pkg-for-cves branch from c274893 to 3ec6ae1 Compare January 21, 2025 15:20
@giladravid16
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 22, 2025
@pastequo
Copy link
Contributor Author

/retest

@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD cc75f5f and 2 for PR HEAD 3ec6ae1 in total

1 similar comment
@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD cc75f5f and 2 for PR HEAD 3ec6ae1 in total

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 22, 2025

@pastequo: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit 9df3014 into openshift:master Jan 22, 2025
17 checks passed
@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

Distgit: ose-agent-installer-api-server
This PR has been included in build ose-agent-installer-api-server-container-v4.19.0-202501221938.p0.g9df3014.assembly.stream.el9.
All builds following this will include this PR.

@pastequo pastequo deleted the fix/update-pkg-for-cves branch January 23, 2025 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danmanor danmanor Awaiting requested review from danmanor

@giladravid16 giladravid16 Awaiting requested review from giladravid16

Assignees

@giladravid16 giladravid16

Labels
api-review Categorizes an issue or PR as actively needing an API review. approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pastequo @openshift-ci-robot @giladravid16 @paul-maidment @openshift-bot