Skip to content

CVE fixes of High priority #525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 19, 2024
Merged

CVE fixes of High priority #525

merged 2 commits into from
Apr 19, 2024

Conversation

ChristianZaccaria
Copy link
Contributor

@ChristianZaccaria ChristianZaccaria commented Apr 16, 2024
edited
Loading

Issue link

Jira: https://issues.redhat.com/browse/RHOAIENG-5504

What changes have been made

Upgraded dependencies to fix a number of High CVEs.

Verification steps

e2e tests passing is sufficient.

Checks

  • I've made sure the tests are passing.
  • Testing Strategy
    • Unit tests
    • Manual tests
    • Testing is not required for this change

KPostOffice
KPostOffice reviewed Apr 16, 2024
View reviewed changes
Copy link
Collaborator

@KPostOffice KPostOffice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One tiny comment

go.mod
@@ -22,6 +22,10 @@ require (

replace sigs.k8s.io/custom-metrics-apiserver => sigs.k8s.io/custom-metrics-apiserver v1.25.1-0.20230306170449-63d8c93851f3

replace go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0

replace github.com/jackc/pgx/v4 => github.com/jackc/pgx/v5 v5.5.4
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be change to v5.5.5?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is a strange one, I tried doing that but go doesn't like it. I.e.,

  • With v5.5.4, a go mod tidy successfully replaces the v4 module in go.mod and go.sum.
  • With v5.5.5 a go mod tidy fails.

I even performed a git reset --hard to previous commit to ensure a fresh state to test getting and replacing the module for v5.5.5, but still failed on go mod tidy.

[christianzaccaria@thinkpad codeflare-operator]$ go get github.com/jackc/pgx/v5@v5.5.4
go: github.com/jackc/pgx/v5@v5.5.4 used for two different module paths (github.com/jackc/pgx/v4 and github.com/jackc/pgx/v5)
[christianzaccaria@thinkpad codeflare-operator]$ go mod tidy
[christianzaccaria@thinkpad codeflare-operator]$ go get github.com/jackc/pgx/v5@v5.5.5
go: github.com/jackc/pgx/v5@v5.5.5 used for two different module paths (github.com/jackc/pgx/v4 and github.com/jackc/pgx/v5)
[christianzaccaria@thinkpad codeflare-operator]$ go mod tidy
go: finding module for package github.com/jackc/pgx/v5/pgxpool
go: finding module for package github.com/jackc/pgx/v5/pgconn
go: finding module for package github.com/jackc/pgx/v5/pgtype
go: finding module for package github.com/jackc/pgx/v5
go: found github.com/jackc/pgx/v5 in github.com/jackc/pgx/v5 v5.5.5
go: found github.com/jackc/pgx/v5/pgconn in github.com/jackc/pgx/v5 v5.5.5
go: found github.com/jackc/pgx/v5/pgtype in github.com/jackc/pgx/v5 v5.5.5
go: found github.com/jackc/pgx/v5/pgxpool in github.com/jackc/pgx/v5 v5.5.5
go: github.com/jackc/pgx/v5@v5.5.5 used for two different module paths (github.com/jackc/pgx/v4 and github.com/jackc/pgx/v5)

astefanutti
astefanutti reviewed Apr 17, 2024
View reviewed changes
Copy link
Contributor

@astefanutti astefanutti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out-of-curiosity, where do these transitive dependencies come from? Could they be upgraded by upgrading k8s version / controller-runtime?

@ChristianZaccaria
Copy link
Contributor Author

ChristianZaccaria commented Apr 17, 2024
edited
Loading

Out-of-curiosity, where do these transitive dependencies come from? Could they be upgraded by upgrading k8s version / controller-runtime?

@astefanutti For pgx module, the transitive dependencies come from ocm-sdk-go. Their main branch and also latest tag make use of an older version of pgx module.

The other module otelhttp does come from k8s.io/component-base and k8s.io/apiextensions-apiserver. I'll see if I can upgrade these ones instead, thanks!

Snyk - pgx CVE
Snyk - otelhttp CVE

@ChristianZaccaria
Copy link
Contributor Author

@astefanutti upgrading k8s modules causes some issues in tests. Should I drop that commit for now?

@sutaakar
Copy link
Contributor

The test issues could be resolved by upgrading codeflare-common , however upgraded version use Go 1.21, so it can't be used until we upgrade CFO to 1.21?

@ChristianZaccaria
Copy link
Contributor Author

@sutaakar Thank you, that could work. I see that the latest go ubi8 image is 1.20. Do you think dropping the latest commit here for now is okay?

@sutaakar
Copy link
Contributor

it is fine for me

@ChristianZaccaria ChristianZaccaria force-pushed the cve-fixes-high-several branch 2 times, most recently from fb13f1d to 0e32f36 Compare April 18, 2024 09:52
@Bobbins228
Copy link
Contributor

When trying to create an image I got this error:

/home/mark/codeflare-operator/bin/controller-gen rbac:roleName=manager-role webhook paths="./..."
Error: err: exit status 1: stderr: go: updates to go.mod needed; to update it:
	go mod tidy
run `controller-gen rbac:roleName=manager-role webhook paths=./... -w` to see all available markers, or `controller-gen rbac:roleName=manager-role webhook paths=./... -h` for usage
make: *** [Makefile:131: manifests] Error 1

@Fiona-Waters
Copy link
Contributor

I tried to create an image with make image-build -e IMG=quay.io/rh_ee_fwaters/codeflare-operator:cve and it worked successfully. I am running go1.20.
@Bobbins228 is using go1.22.1 so this could be what is causing the issue.

@astefanutti
Copy link
Contributor

@ChristianZaccaria could you give this a rebase please?

@ChristianZaccaria
Copy link
Contributor Author

@ChristianZaccaria could you give this a rebase please?

Rebased, thank you!

@astefanutti
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Apr 19, 2024
@dimakis
Copy link
Contributor

dimakis commented Apr 19, 2024

/approve

1 similar comment
@astefanutti
Copy link
Contributor

/approve

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: astefanutti, dimakis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 7caa6c7 into project-codeflare:main Apr 19, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anishasthana anishasthana Awaiting requested review from anishasthana

@MichaelClifford MichaelClifford Awaiting requested review from MichaelClifford

@KPostOffice KPostOffice Awaiting requested review from KPostOffice

@astefanutti astefanutti Awaiting requested review from astefanutti

Assignees

@astefanutti astefanutti

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@ChristianZaccaria @sutaakar @Bobbins228 @Fiona-Waters @astefanutti @dimakis @KPostOffice