Skip to content
This repository has been archived by the owner on Oct 10, 2023. It is now read-only.

Fix CVE in golang.org/x/net #4182

Merged
merged 5 commits into from
Dec 22, 2022
Merged

Fix CVE in golang.org/x/net #4182

merged 5 commits into from
Dec 22, 2022
+1,529 −2,192

Conversation

rajathagasthya
Copy link
Member

@rajathagasthya rajathagasthya commented Dec 15, 2022
edited
Loading

What this PR does / why we need it

Updated throughout the repo, to address CVEs:

  • github.com/emicklei/go-restful/v3 v3.9.0
  • golang.org/x/crypto v0.4.0
  • golang.org/x/mod v0.7.0
  • golang.org/x/net v0.4.0
  • golang.org/x/oauth2 v0.3.0
  • golang.org/x/sync v0.1.0
  • golang.org/x/sys v0.3.0
  • golang.org/x/term v0.3.0
  • golang.org/x/text v0.5.0
  • golang.org/x/time v0.3.0
  • golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2

Other notable updates:

  • cloud.google.com/go v0.107.0
  • github.com/google/gnostic v0.6.9
  • k8s.io/kube-openapi v0.0.0-20221207184640-f3cff1453715
  • sigs.k8s.io/controller-runtime v0.12.3

Which issue(s) this PR fixes

Fixes #4208

Describe testing done for PR

Run trivy scan and make sure CVEs don't show up.

Release note

Updated throughout the repo, to address CVEs:
- github.com/emicklei/go-restful/v3 v3.9.0
- golang.org/x/crypto v0.4.0
- golang.org/x/mod v0.7.0
- golang.org/x/net v0.4.0
- golang.org/x/oauth2 v0.3.0
- golang.org/x/sync v0.1.0
- golang.org/x/sys v0.3.0
- golang.org/x/term v0.3.0
- golang.org/x/text v0.5.0
- golang.org/x/time v0.3.0
- golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2

Other notable updates:
- cloud.google.com/go v0.107.0
- github.com/google/gnostic v0.6.9
- k8s.io/kube-openapi v0.0.0-20221207184640-f3cff1453715
- sigs.k8s.io/controller-runtime v0.12.3

Additional information

Special notes for your reviewer

@github-actions
Copy link

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4182/20221215174341/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

@codecov
Copy link

codecov bot commented Dec 15, 2022
edited
Loading

Codecov Report

Merging #4182 (9ee9991) into main (6b5fb26) will decrease coverage by 0.90%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #4182      +/-   ##
==========================================
- Coverage   49.27%   48.37%   -0.91%     
==========================================
  Files         450      480      +30     
  Lines       44575    46697    +2122     
==========================================
+ Hits        21963    22588     +625     
- Misses      20533    21977    +1444     
- Partials     2079     2132      +53
Impacted Files Coverage Δ
addons/controllers/machine_controller.go 65.65% <0.00%> (-3.04%) ⬇️
packageclients/pkg/packageclient/package_update.go 83.57% <0.00%> (-1.43%) ⬇️
cmd/cli/plugin/cluster/get.go 6.27% <0.00%> (ø)
cmd/cli/plugin/cluster/machinehealthcheck.go 100.00% <0.00%> (ø)
.../cli/plugin/cluster/set_machinehealthcheck_node.go 23.33% <0.00%> (ø)
cmd/cli/plugin/cluster/delete_node_pool.go 16.66% <0.00%> (ø)
cmd/cli/plugin/cluster/available_upgrade.go 16.32% <0.00%> (ø)
cmd/cli/plugin/cluster/credentials_update.go 8.73% <0.00%> (ø)
.../cli/plugin/cluster/get_machinehealthcheck_node.go 9.30% <0.00%> (ø)
...olated-cluster/imagepushop/publishimagesfromtar.go 73.17% <0.00%> (ø)
... and 23 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@imikushin
Copy link
Contributor

I took the liberty to update golang.org/x deps throughout the project and add the commit to this PR, @rajathagasthya @danniel1205.

@imikushin imikushin marked this pull request as ready for review December 16, 2022 03:13
@imikushin imikushin requested review from a team and prkalle as code owners December 16, 2022 03:13
@github-actions
Copy link

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4182/20221216031952/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

@imikushin imikushin added the ok-to-merge PRs should be labelled with this before merging label Dec 16, 2022
@github-actions
Copy link

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4182/20221216171337/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

@imikushin
Copy link
Contributor

Added a fix for CVE-2022-1996, @rajathagasthya @danniel1205, @shyaamsn.

@imikushin imikushin mentioned this pull request Dec 16, 2022
Closed
@github-actions
Copy link

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4182/20221220002205/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

@github-actions
Copy link

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4182/20221220024101/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

@github-actions
Copy link

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4182/20221221154628/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

@github-actions
Copy link

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4182/20221221213210/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

danniel1205 and others added 5 commits December 21, 2022 15:57
@danniel1205 @rajathagasthya
Fix CVE in golang.org/x/net by bumping its version to v0.4.0
552766d 
Signed-off-by: Daniel Guo <danniel1205@gmail.com>
@rajathagasthya
Update golang.org/x imports
fb0968e 
Updated throughout the repo to latest versions:
- golang.org/x/crypto v0.4.0
-	golang.org/x/mod v0.7.0
-	golang.org/x/net v0.4.0
- golang.org/x/oauth2 v0.3.0
-	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.3.0
-	golang.org/x/term v0.3.0
-	golang.org/x/text v0.5.0
- golang.org/x/time v0.3.0
- golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2,

Other notable updates:
- cloud.google.com/go v0.107.0

Signed-off-by: Ivan Mikushin <imikushin@vmware.com>
@rajathagasthya
Update github.com/emicklei/go-restful
f85944e 
Addressing CVE-2022-1996, updated throughout the repo to versions:
- github.com/emicklei/go-restful/v3 v3.9.0
-	k8s.io/kube-openapi v0.0.0-20221207184640-f3cff1453715

github.com/emicklei/go-restful v2 is now fully replaced by v3.

Signed-off-by: Ivan Mikushin <imikushin@vmware.com>
@rajathagasthya
Update k8s dependencies in packageclients
2f068ea 
In order to address CVE-2022-1996 with a kube-openapi upgrade, we also
need to update other k8s dependencies. Without this,
github.com/googleapis/gnostic/extensions and
github.com/google/gnostic/extensions conflicts.
@rajathagasthya
Run go mod tidy on all modules
9ee9991
@github-actions
Copy link

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4182/20221221221019/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

@imikushin imikushin merged commit a56516e into vmware-tanzu:main Dec 22, 2022
@rajathagasthya rajathagasthya deleted the feature-capability-cve branch December 22, 2022 14:58
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@imikushin imikushin imikushin approved these changes

@shyaamsn shyaamsn shyaamsn approved these changes

@prkalle prkalle Awaiting requested review from prkalle

Assignees
No one assigned
Labels
cla-not-required ok-to-merge PRs should be labelled with this before merging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix CVE-2022-1996, CVE-2022-32149 and CVE-2022-27664
5 participants
@rajathagasthya @imikushin @shyaamsn @vmwclabot @danniel1205