Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update go version to 1.20 and resolve CVEs #613

Merged
merged 1 commit into from
Apr 16, 2024
Merged

Update go version to 1.20 and resolve CVEs #613

merged 1 commit into from
Apr 16, 2024

Conversation

DharmitD
Copy link
Member

@DharmitD DharmitD commented Mar 21, 2024
edited
Loading

The issue resolved by this Pull Request:

Resolves https://issues.redhat.com/browse/RHOAIENG-2260

Description of your changes:

Bumped go version to 1.20.
Updated K8s package versions to eliminate high level snyk CVE. Verified that the package versions are compatible with each other: https://github.com/kubernetes-sigs/controller-runtime/blob/v0.15.0/go.mod#L20-L27
Also updated the DSPO controller go code to fix all breaking changes introduced by upgrading the sigs.k8s.io/controller-runtime package to 0.15.0.

Testing instructions

Imported my fork in synk and made sure the relevant CVEs were fixed with this update.

Updated package versions locally based on what versions are compatible with each other and ran go mod tidy.
Ran go build locally to make sure no errors were introduced due to any breaking changes arising from package version upgrades.
Pushed changes to my fork and ensured the CVEs were resolved.

Checklist

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

@DharmitD DharmitD changed the title Resolve K8s CVEs UPSTREAM: <carry>: update go.mod packages Mar 21, 2024
@DharmitD DharmitD changed the title UPSTREAM: <carry>: update go.mod packages Update go.mod packages to resolve CVEs Mar 21, 2024
gmfrasca
gmfrasca reviewed Mar 22, 2024
View reviewed changes
.github/workflows/image-check.yaml
@@ -10,7 +10,7 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since we're editting these files i think we should converge on the same action version. (ie functests and unittests are using actions/setup-go@v4, but image-check is v2 and kind-integration is v1)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what these action versions signify tbh. What version should we converge on? And should it be the same version across all actions? As in, could it be different for specific actions - say checkout set to v2 and setup set to v4, or should we have just one version?

@DharmitD DharmitD force-pushed the snyk-k8s branch 3 times, most recently from 25f14b9 to 4c80a15 Compare March 28, 2024 15:00
@DharmitD DharmitD force-pushed the snyk-k8s branch 3 times, most recently from 13766b7 to 7b74a29 Compare April 3, 2024 18:50
@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-613

@DharmitD DharmitD changed the title Update go.mod packages to resolve CVEs Update go version to 1.20 and resolve CVEs Apr 9, 2024
@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-613

amadhusu
amadhusu approved these changes Apr 12, 2024
View reviewed changes
Copy link
Contributor

@amadhusu amadhusu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code changes look fine to me! I will leave the lgtm tag for the next person who verifies the same.

@openshift-ci openshift-ci bot added the lgtm label Apr 12, 2024
@DharmitD DharmitD mentioned this pull request Apr 13, 2024
Closed
@HumairAK HumairAK requested review from gmfrasca and removed request for rimolive and hbelmiro April 15, 2024 19:38
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 16, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amadhusu, gmfrasca

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit f30e4d5 into opendatahub-io:main Apr 16, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gmfrasca gmfrasca gmfrasca approved these changes

@amadhusu amadhusu amadhusu approved these changes

Assignees

@gmfrasca gmfrasca

@amadhusu amadhusu

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@DharmitD @dsp-developers @gmfrasca @amadhusu