Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: govulncheck is failed with new vulnerability GO-2024-2687 #1783

Merged
merged 2 commits into from
Apr 8, 2024
Merged

ci: govulncheck is failed with new vulnerability GO-2024-2687 #1783

merged 2 commits into from
Apr 8, 2024

Conversation

liudalibj
Copy link
Member

fix the report issues from govulncheck CI.

for #1779

govulncheck is failed with error:

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.19.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
...

  Standard library
    Found in: net/http@go1.21.8
    Fixed in: net/http@go1.21.9
    Example traces found:
...

More details https://github.com/confidential-containers/cloud-api-adaptor/actions/runs/8593242256/job/23544455229?pr=1778

Da Li Liu added 2 commits April 8, 2024 19:41
versions: Bump golang to 1.21.9
e8b09ab 
- fix https://pkg.go.dev/vuln/GO-2024-2687

Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
CI: bump golang.org/x/net to v0.23.0
76d421f 
- fix https://pkg.go.dev/vuln/GO-2024-2687

Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
@liudalibj liudalibj mentioned this pull request Apr 8, 2024
Closed
@liudalibj liudalibj requested a review from genjuro214 April 8, 2024 11:45
@liudalibj liudalibj added the test_e2e_libvirt Run Libvirt e2e tests label Apr 8, 2024
stevenhorsman
stevenhorsman approved these changes Apr 8, 2024
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks DaLi!

huoqifeng
huoqifeng reviewed Apr 8, 2024
View reviewed changes
src/cloud-api-adaptor/Dockerfile
@@ -1,5 +1,5 @@
ARG BUILD_TYPE=dev
ARG BUILDER_BASE=quay.io/confidential-containers/golang-fedora:1.21.8-38
ARG BUILDER_BASE=quay.io/confidential-containers/golang-fedora:1.21.9-38
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like this is not good:

ERROR: failed to solve: quay.io/confidential-containers/golang-fedora:1.21.9-38: failed to resolve source metadata for quay.io/confidential-containers/golang-fedora:1.21.9-38: quay.io/confidential-containers/golang-fedora:1.21.9-38: not found

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is my fault for suggesting DaLi update it. Maybe we have to do that as a separate bump as this image is only build after this PR is merged?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The quay.io/confidential-containers/golang-fedora:1.21.9-38 is not build yet, it should be triggered at https://github.com/confidential-containers/cloud-api-adaptor/blob/main/.github/workflows/build-golang-fedora.yaml after this PR be merged.
I think we can skip the e2e-test for this PR.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, let's re-trigger the build if CI fails after merge because https://github.com/confidential-containers/cloud-api-adaptor/blob/main/.github/workflows/build-golang-fedora.yaml might be triggered later than caa.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I'll merge it and then check the tests

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After I waited for the golang-fedora base image build to happen I triggered the nightly libvirt tests and the podvm image builders passed.

@liudalibj liudalibj removed the test_e2e_libvirt Run Libvirt e2e tests label Apr 8, 2024
huoqifeng
huoqifeng approved these changes Apr 8, 2024
View reviewed changes
Copy link

@huoqifeng huoqifeng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@stevenhorsman stevenhorsman merged commit 7f4cc55 into confidential-containers:main Apr 8, 2024
39 of 46 checks passed
@liudalibj liudalibj deleted the fix-vuln-2687 branch April 9, 2024 02:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevenhorsman stevenhorsman stevenhorsman approved these changes

@huoqifeng huoqifeng huoqifeng approved these changes

@bpradipt bpradipt Awaiting requested review from bpradipt

@genjuro214 genjuro214 Awaiting requested review from genjuro214

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@liudalibj @huoqifeng @stevenhorsman