Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump alpine to 3.18.5 to address CVE concerns #4376

Merged
merged 1 commit into from
Dec 6, 2023
Merged

bump alpine to 3.18.5 to address CVE concerns #4376

merged 1 commit into from
Dec 6, 2023

Conversation

zhzhuang-zju
Copy link
Contributor

@zhzhuang-zju zhzhuang-zju commented Dec 6, 2023
edited
Loading

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
bump alpine to 3.18.5 to address CVE-2023-5363
Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

➜  karmada git:(master) ✗ trivy image --format table  docker.io/karmada/karmada-operator:new 
2023-12-06T10:42:09.997+0800    INFO    Need to update DB
2023-12-06T10:42:09.997+0800    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-12-06T10:42:09.997+0800    INFO    Downloading DB...
41.17 MiB / 41.17 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.89 MiB p/s 22s
2023-12-06T10:42:33.531+0800    INFO    Vulnerability scanning is enabled
2023-12-06T10:42:33.531+0800    INFO    Secret scanning is enabled
2023-12-06T10:42:33.531+0800    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-06T10:42:33.531+0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-12-06T10:42:36.627+0800    INFO    Detected OS: alpine
2023-12-06T10:42:36.627+0800    INFO    Detecting Alpine vulnerabilities...
2023-12-06T10:42:36.629+0800    INFO    Number of language-specific files: 1
2023-12-06T10:42:36.629+0800    INFO    Detecting gobinary vulnerabilities...

docker.io/karmada/karmada-operator:new (alpine 3.18.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Does this PR introduce a user-facing change?:

The base image `alpine` now has been promoted from `alpine:3.18.3` to `alpine:3.18.5`

@karmada-bot karmada-bot added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Dec 6, 2023
@karmada-bot karmada-bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Dec 6, 2023
@RainbowMango
Copy link
Member

There are two more places we might need to update as well:

  1. karmada/pkg/karmadactl/cmdinit/kubernetes/deploy.go

    Line 117 in 5e3f34c

    DefaultInitImage = "docker.io/alpine:3.15.1"

  2. karmada/pkg/karmadactl/cmdinit/kubernetes/deploy.go

    Line 668 in 5e3f34c

    return i.ImageRegistry + "/alpine:3.15.1"

@codecov-commenter
Copy link

codecov-commenter commented Dec 6, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (6128367) 51.80% compared to head (d4bc240) 51.86%.
Report is 34 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4376      +/-   ##
==========================================
+ Coverage   51.80%   51.86%   +0.05%     
==========================================
  Files         243      243              
  Lines       24112    24114       +2     
==========================================
+ Hits        12491    12506      +15     
+ Misses      10941    10925      -16     
- Partials      680      683       +3
Flag Coverage Δ
unittests 51.86% <100.00%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zhzhuang-zju
bump alpine to 3.18.5 to address CVE concerns
d4bc240 
Signed-off-by: zhzhuang-zju <m17799853869@163.com>
@karmada-bot karmada-bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Dec 6, 2023
@zhzhuang-zju
Copy link
Contributor Author

There are two more places we might need to update as well:

  1. karmada/pkg/karmadactl/cmdinit/kubernetes/deploy.go

    Line 117 in 5e3f34c

    DefaultInitImage = "docker.io/alpine:3.15.1"

  2. karmada/pkg/karmadactl/cmdinit/kubernetes/deploy.go

    Line 668 in 5e3f34c

    return i.ImageRegistry + "/alpine:3.15.1"

There are two more places we might need to update as well:

  1. karmada/pkg/karmadactl/cmdinit/kubernetes/deploy.go

    Line 117 in 5e3f34c

    DefaultInitImage = "docker.io/alpine:3.15.1"

  2. karmada/pkg/karmadactl/cmdinit/kubernetes/deploy.go

    Line 668 in 5e3f34c

    return i.ImageRegistry + "/alpine:3.15.1"

done~

RainbowMango
RainbowMango approved these changes Dec 6, 2023
View reviewed changes
Copy link
Member

@RainbowMango RainbowMango left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Please help to cherry-pick it to release branches:

  • release-1.8
  • release-1.7
  • release-1.6
  • release-1.5

PS:
For the release-1.5, we might need to release a final patch release.

@karmada-bot karmada-bot added the lgtm Indicates that a PR is ready to be merged. label Dec 6, 2023
@karmada-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot karmada-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 6, 2023
@karmada-bot karmada-bot merged commit edbea75 into karmada-io:master Dec 6, 2023
12 checks passed
@zhzhuang-zju
Copy link
Contributor Author

/lgtm /approve

Please help to cherry-pick it to release branches:

  • release-1.8
  • release-1.7
  • release-1.6
  • release-1.5

PS: For the release-1.5, we might need to release a final patch release.

/assign

This was referenced Dec 6, 2023
Merged
Merged
Merged
Merged
zhzhuang-zju added a commit to zhzhuang-zju/karmada that referenced this pull request Dec 6, 2023
@zhzhuang-zju
Automated cherry pick of karmada-io#4376: bump alpine to 3.18.5 to ad…
c48c4c0 
…dress CVE concerns

Signed-off-by: zhzhuang-zju <m17799853869@163.com>
zhzhuang-zju added a commit to zhzhuang-zju/karmada that referenced this pull request Dec 6, 2023
@zhzhuang-zju
Automated cherry pick of karmada-io#4376: bump alpine to 3.18.5 to ad…
e6d892c 
…dress CVE concerns

Signed-off-by: zhzhuang-zju <m17799853869@163.com>
karmada-bot added a commit that referenced this pull request Dec 6, 2023
@karmada-bot
Merge pull request #4379 from zhzhuang-zju/automated-cherry-pick-of-#…
6bdcd9c 
…4376-upstream-release-1.8

Automated cherry pick of #4376: bump alpine to 3.18.5 to address CVE concerns
karmada-bot added a commit that referenced this pull request Dec 6, 2023
@karmada-bot
Merge pull request #4381 from zhzhuang-zju/automated-cherry-pick-of-#…
e671886 
…4376-upstream-release-1.6

Automated cherry pick of #4376: bump alpine to 3.18.5 to address CVE concerns
karmada-bot added a commit that referenced this pull request Dec 6, 2023
@karmada-bot
Merge pull request #4382 from zhzhuang-zju/automated-cherry-pick-of-#…
77d04c4 
…4376-upstream-release-1.5

Automated cherry pick of #4376: bump alpine to 3.18.5 to address CVE concerns
karmada-bot added a commit that referenced this pull request Dec 6, 2023
@karmada-bot
Merge pull request #4380 from zhzhuang-zju/automated-cherry-pick-of-#…
348adcc 
…4376-upstream-release-1.7

Automated cherry pick of #4376: bump alpine to 3.18.5 to address CVE concerns
@RainbowMango RainbowMango mentioned this pull request Jan 31, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RainbowMango RainbowMango RainbowMango approved these changes

@chaunceyjiang chaunceyjiang Awaiting requested review from chaunceyjiang

@Poor12 Poor12 Awaiting requested review from Poor12

Assignees

@RainbowMango RainbowMango

@zhzhuang-zju zhzhuang-zju

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zhzhuang-zju @RainbowMango @codecov-commenter @karmada-bot