Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE 2023 48795 #6675

Merged
merged 3 commits into from
Jan 30, 2024
Merged

Fix CVE 2023 48795 #6675

merged 3 commits into from
Jan 30, 2024

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Jan 30, 2024
edited

Fixes the failing trivy scan on the release-1.13 branch by upgrading golang.org/x/crypto from v0.14.0 to v0.17.0.

image

You can also see these failures on ArtifactHub:

image
image

I ran the following commands:

make vendor-go
export PATH="$PWD/_bin/tools:$PATH"
export GOROOT="$PWD/_bin/tools/goroot"
find . -type f -name 'go.mod' -not -path './_bin/*' -printf '%h\n' \
  | sort \
  | while read d; do (cd $d; go get golang.org/x/crypto@v0.17.0); done
make tidy
make update-licenses

/kind cleanup

Fix CVE 2023 48795 by upgrading to golang.org/x/crypto@v0.17.0

@wallrj
go get golang.org/x/crypto@v0.17.0
000d89c 
 $ go version
 go version go1.20.13 linux/amd64

 $ find . -type f -name 'go.mod' -not -path './_bin/*' -printf '%h\n' \
   | sort \
   | while read d; do (cd $d; go get golang.org/x/crypto@v0.17.0); done

Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make tidy
fa7f75f 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@jetstack-bot jetstack-bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/acme Indicates a PR directly modifies the ACME Issuer code area/testing Issues relating to testing labels Jan 30, 2024
@wallrj
make update-licenses
9a4d1c7 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
wallrj
wallrj commented Jan 30, 2024
View reviewed changes
cmd/acmesolver/go.mod
golang.org/x/sys v0.14.0 // indirect
golang.org/x/text v0.13.0 // indirect
golang.org/x/sys v0.15.0 // indirect
golang.org/x/text v0.14.0 // indirect
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These got upgraded as a side effect of my running go get golang.org/x/crypto@v0.17.0 in every sub-module.
go mod tidy then removes the unused import and leaves behind these updates to indirect dependencies which are used in this sub-module.

I considered reverting these changes, but decided that it was neater to have all the sub-modules using the same versions of golang.org/x/sys and golang.org/x/text.

@wallrj
Copy link
Member Author

wallrj commented Jan 30, 2024

/retest

@wallrj wallrj requested a review from maelvls January 30, 2024 12:51
@wallrj
Copy link
Member Author

wallrj commented Jan 30, 2024

@wallrj: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-release-1.13-license 9a4d1c7 link false /test pull-cert-manager-release-1.13-license
pull-cert-manager-release-1.13-chart 9a4d1c7 link true /test pull-cert-manager-release-1.13-chart
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

These were flakes which disappeared upon /retest:

@inteon
Copy link
Member

inteon commented Jan 30, 2024

/approve
/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 30, 2024
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 30, 2024
@jetstack-bot jetstack-bot merged commit 7241d49 into cert-manager:release-1.13 Jan 30, 2024
7 checks passed
@wallrj wallrj deleted the fix-CVE-2023-48795 branch January 30, 2024 14:20
@wallrj wallrj mentioned this pull request Jan 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maelvls maelvls Awaiting requested review from maelvls

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme Indicates a PR directly modifies the ACME Issuer code area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wallrj @inteon @jetstack-bot