Skip to content
This repository has been archived by the owner on Oct 10, 2023. It is now read-only.

Fix Docker related CVEs #4549

Merged
merged 1 commit into from
Apr 7, 2023
Merged

Fix Docker related CVEs #4549

merged 1 commit into from
Apr 7, 2023

Conversation

rajathagasthya
Copy link
Member

What this PR does / why we need it

Updates docker to v20.10.24 to fix CVE-2023-28840, CVE-2023-28841 and CVE-2023-28842.

Which issue(s) this PR fixes

Fixes everything currently open in https://github.com/vmware-tanzu/tanzu-framework/security/dependabot

Describe testing done for PR

Updated dependency and verified all modules build successfully.

$ make modules
$ make smoke-build

Release note

Updated Docker dependency in Go modules to v20.10.24 to fix CVE-2023-28840, CVE-2023-28841 and CVE-2023-28842.

Additional information

Special notes for your reviewer

@rajathagasthya rajathagasthya requested review from a team and prkalle as code owners April 5, 2023 19:06
@rajathagasthya rajathagasthya added the ok-to-merge PRs should be labelled with this before merging label Apr 5, 2023
@github-advanced-security
Copy link

You have successfully added a new Trivy configuration .github/workflows/cve_scan.yaml:trivy_scan. As part of the setup process, we have scanned this repository and found no existing alerts. In the future, you will see all code scanning alerts on the repository Security tab.

tenczar
tenczar approved these changes Apr 5, 2023
View reviewed changes
Copy link
Contributor

@tenczar tenczar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions
Copy link

github-actions bot commented Apr 5, 2023

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4549/20230405191433/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

imikushin
imikushin approved these changes Apr 5, 2023
View reviewed changes
Copy link
Contributor

@imikushin imikushin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rajathagasthya rajathagasthya force-pushed the docker-dependabot-fix branch from d06e378 to b708573 Compare April 6, 2023 14:15
@github-actions
Copy link

github-actions bot commented Apr 6, 2023

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4549/20230406142511/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

danniel1205
danniel1205 approved these changes Apr 6, 2023
View reviewed changes
Copy link
Contributor

@danniel1205 danniel1205 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks for the fix.

@rajathagasthya
Fix Docker related CVEs
9efab55 
Updates docker to v20.10.24 to fix CVE-2023-28840, CVE-2023-28841 and
CVE-2023-28842.
@rajathagasthya rajathagasthya force-pushed the docker-dependabot-fix branch from b708573 to 9efab55 Compare April 7, 2023 14:44
@github-actions
Copy link

github-actions bot commented Apr 7, 2023

Cluster Generation A/B Results:
https://storage.googleapis.com/tkg-clustergen/4549/20230407145325/clustergen.diff.txt
Author/reviewers:
Please review to verify that the effects on the generated cluster configurations are exactly what the PR intended, and give a thumbs-up if so.

@codecov
Copy link

codecov bot commented Apr 7, 2023

Codecov Report

Merging #4549 (9efab55) into main (7cf3455) will decrease coverage by 0.92%.
The diff coverage is 42.22%.

@@            Coverage Diff             @@
##             main    #4549      +/-   ##
==========================================
- Coverage   49.78%   48.87%   -0.92%     
==========================================
  Files         453      483      +30     
  Lines       45379    47544    +2165     
==========================================
+ Hits        22594    23239     +645     
- Misses      20632    22093    +1461     
- Partials     2153     2212      +59
Impacted Files Coverage Δ
addons/controllers/clusterbootstrap_controller.go 64.44% <0.00%> (-0.21%) ⬇️
...til/clusterbootstrapclone/clusterbootstrapclone.go 66.13% <46.34%> (-0.98%) ⬇️

... and 34 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@rajathagasthya rajathagasthya merged commit 52d730d into vmware-tanzu:main Apr 7, 2023
@rajathagasthya rajathagasthya deleted the docker-dependabot-fix branch April 7, 2023 18:47
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@shyaamsn shyaamsn shyaamsn approved these changes

@anujc25 anujc25 anujc25 approved these changes

@tenczar tenczar tenczar approved these changes

@danniel1205 danniel1205 danniel1205 approved these changes

@imikushin imikushin imikushin approved these changes

@prkalle prkalle Awaiting requested review from prkalle

Assignees
No one assigned
Labels
cla-not-required ok-to-merge PRs should be labelled with this before merging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@rajathagasthya @imikushin @danniel1205 @tenczar @anujc25 @shyaamsn @vmwclabot