Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix GHSA-7ww5-4wqc-m92c for release 1.13 #6684

Merged
merged 3 commits into from
Jan 31, 2024
Merged

Fix GHSA-7ww5-4wqc-m92c for release 1.13 #6684

merged 3 commits into from
Jan 31, 2024

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Jan 31, 2024
edited

Upgrade to the latest patch release of github.com/containerd/containerd which fixes GHSA-7ww5-4wqc-m92c

/sys/devices/virtual/powercap accessible by default to containers

That was causing a trivy failure for cmctl (false positive because that code isn't executed by cmctl)

Here's how I upgraded the package:

cd cmd/ctl/
GOPROXY=direct go get github.com/containerd/containerd@patch
cd ../../
make tidy
make update-licenses

Testing

$ make trivy-scan-ctl
...
2024-01-31T09:16:17.338Z        INFO    Detected OS: debian
2024-01-31T09:16:17.339Z        INFO    Detecting Debian vulnerabilities...
2024-01-31T09:16:17.339Z        INFO    Number of language-specific files: 1
2024-01-31T09:16:17.339Z        INFO    Detecting gobinary vulnerabilities...
...

$ echo $?
0

/kind cleanup

Fix GHSA-7ww5-4wqc-m92c by upgrading to `github.com/containerd/containerd@v1.7.12`

@wallrj
go get github.com/containerd/containerd@patch
cde99e3 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make tidy
cac773e 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@jetstack-bot jetstack-bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/testing Issues relating to testing size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 31, 2024
@wallrj
make update-licenses
0eb9999 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
Copy link
Member Author

wallrj commented Jan 31, 2024

/test ci-cert-manager-release-1.13-trivy-test-ctl

@jetstack-bot
Copy link
Contributor

@wallrj: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-cert-manager-release-1.13-chart
  • /test pull-cert-manager-release-1.13-e2e-v1-28
  • /test pull-cert-manager-release-1.13-e2e-v1-28-upgrade
  • /test pull-cert-manager-release-1.13-make-test

The following commands are available to trigger optional jobs:

  • /test pull-cert-manager-release-1.13-e2e-v1-23
  • /test pull-cert-manager-release-1.13-e2e-v1-24
  • /test pull-cert-manager-release-1.13-e2e-v1-25
  • /test pull-cert-manager-release-1.13-e2e-v1-26
  • /test pull-cert-manager-release-1.13-e2e-v1-27
  • /test pull-cert-manager-release-1.13-e2e-v1-28-bestpractice-install
  • /test pull-cert-manager-release-1.13-e2e-v1-28-feature-gates-disabled
  • /test pull-cert-manager-release-1.13-e2e-v1-28-issuers-venafi-cloud
  • /test pull-cert-manager-release-1.13-e2e-v1-28-issuers-venafi-tpp
  • /test pull-cert-manager-release-1.13-license

Use /test all to run the following jobs that were automatically triggered:

  • pull-cert-manager-release-1.13-chart
  • pull-cert-manager-release-1.13-e2e-v1-28
  • pull-cert-manager-release-1.13-e2e-v1-28-upgrade
  • pull-cert-manager-release-1.13-license
  • pull-cert-manager-release-1.13-make-test

In response to this:

/test ci-cert-manager-release-1.13-trivy-test-ctl

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wallrj wallrj requested a review from inteon January 31, 2024 09:33
@inteon
Copy link
Member

inteon commented Jan 31, 2024

/approve
/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 31, 2024
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 31, 2024
@jetstack-bot jetstack-bot merged commit 9af30ba into cert-manager:release-1.13 Jan 31, 2024
7 checks passed
@wallrj wallrj deleted the fix-GHSA-7ww5-4wqc-m92c-release-1.13 branch January 31, 2024 09:53
@wallrj wallrj mentioned this pull request Jan 31, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inteon inteon Awaiting requested review from inteon

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wallrj @jetstack-bot @inteon