Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.13] Bump to go 1.20.12 #6544

Merged
merged 1 commit into from Dec 11, 2023
Merged

[release-1.13] Bump to go 1.20.12 #6544

merged 1 commit into from Dec 11, 2023

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Dec 11, 2023

See https://go.dev/doc/devel/release#go1.20

  • go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker and the net/http package.
  • go1.20.12 (released 2023-12-05) includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler and the go command.
cert-manager is now built with Go 1.20.12

/kind feature

Testing

Before:

$ make vendor-go
cd _bin/tools/ && ln -f -s ../downloaded/tools/_go-1.20.10-linux-amd64/goroot .
cd _bin/tools/ && ln -f -s ../downloaded/tools/_go-1.20.10-linux-amd64/goroot/bin/go .

$ go version
go version go1.20.10 linux/amd64

$ govulncheck --version
Go: go1.20.10
Scanner: govulncheck@v1.0.1
DB: https://vuln.go.dev
DB updated: 2023-12-11 15:30:30 +0000 UTC

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.

$ govulncheck ./...
Scanning your code and 1396 packages across 149 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2382
    Denial of service via chunk extensions in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2382
  Standard library
    Found in: net/http/internal@go1.20.10
    Fixed in: net/http/internal@go1.21.5
    Example traces found:
      #1: pkg/issuer/acme/dns/util/wait.go:258:25: util.httpDNSClient.Exchange calls ioutil.ReadAll, which eventually calls internal.chunkedReader.Read

Vulnerability #2: GO-2023-2186
    Incorrect detection of reserved device names on Windows in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2186
  Standard library
    Found in: path/filepath@go1.20.10
    Fixed in: path/filepath@go1.21.4
    Example traces found:
      #1: pkg/issuer/venafi/client/instrumentedvenaficlient.go:67:51: client.instrumentedConnector.RetrieveCertificate calls cloud.Connector.RetrieveCertificate, which eventually calls filepath.IsLocal

Vulnerability #3: GO-2023-2185
    Insecure parsing of Windows paths with a \??\ prefix in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2185
  Standard library
    Found in: internal/safefilepath@go1.20.10
    Fixed in: internal/safefilepath@go1.21.4
    Platforms: windows
    Example traces found:
      #1: test/apiserver/apiserver.go:44:24: apiserver.RunBareControlPlane calls envtest.Environment.Start, which eventually calls safefilepath.FromFS
      #2: test/apiserver/apiserver.go:44:24: apiserver.RunBareControlPlane calls envtest.Environment.Start, which eventually calls safefilepath.FromFS
      #3: pkg/controller/context.go:254:51: controller.NewContextFactory calls clientcmd.BuildConfigFromFlags, which eventually calls filepath.Abs
      #4: pkg/logs/logs.go:34:2: logs.init calls klog.init, which calls filepath.Base
      #5: test/acme/suite.go:94:40: acme.fixture.TestExtendedDeletingOneRecordRetainsOthers calls wait.PollUntilContextTimeout, which eventually calls filepath.Clean
      #6: pkg/util/configfile/configfile.go:53:43: configfile.configurationFSLoader.Load calls filepath.Dir
      #7: pkg/issuer/venafi/client/instrumentedvenaficlient.go:67:51: client.instrumentedConnector.RetrieveCertificate calls cloud.Connector.RetrieveCertificate, which eventually calls filepath.IsLocal
      #8: test/webhook/testwebhook.go:85:39: webhook.StartWebhookServer calls filepath.Join
      #9: pkg/acme/client/http.go:73:37: client.Transport.RoundTrip calls exec.roundTripper.RoundTrip, which eventually calls filepath.VolumeName
      #10: test/acme/util.go:50:26: acme.fixture.setupNamespace calls filepath.Walk
      #11: pkg/controller/context.go:254:51: controller.NewContextFactory calls clientcmd.BuildConfigFromFlags, which eventually calls filepath.Abs
      #12: pkg/logs/logs.go:34:2: logs.init calls klog.init, which calls filepath.Base
      #13: test/acme/suite.go:94:40: acme.fixture.TestExtendedDeletingOneRecordRetainsOthers calls wait.PollUntilContextTimeout, which eventually calls filepath.Clean
      #14: pkg/util/configfile/configfile.go:53:43: configfile.configurationFSLoader.Load calls filepath.Dir
      #15: pkg/issuer/venafi/client/instrumentedvenaficlient.go:67:51: client.instrumentedConnector.RetrieveCertificate calls cloud.Connector.RetrieveCertificate, which eventually calls filepath.IsLocal
      #16: test/webhook/testwebhook.go:85:39: webhook.StartWebhookServer calls filepath.Join
      #17: pkg/acme/client/http.go:73:37: client.Transport.RoundTrip calls exec.roundTripper.RoundTrip, which eventually calls filepath.VolumeName
      #18: test/acme/util.go:50:26: acme.fixture.setupNamespace calls filepath.Walk

Your code is affected by 3 vulnerabilities from the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback.

After

$ make vendor-go
cd _bin/tools/ && ln -f -s ../downloaded/tools/_go-1.20.12-linux-amd64/goroot .
cd _bin/tools/ && ln -f -s ../downloaded/tools/_go-1.20.12-linux-amd64/goroot/bin/go .

$ govulncheck --version
Go: go1.20.12
Scanner: govulncheck@v1.0.1
DB: https://vuln.go.dev
DB updated: 2023-12-11 15:30:30 +0000 UTC

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.

$ govulncheck ./...
Scanning your code and 1396 packages across 149 dependent modules for known vulnerabilities...

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.

@wallrj
Bump to Go 1.20.12
4ae2594 
- go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker and the net/http package.
- go1.20.12 (released 2023-12-05) includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler and the go command.

Signed-off-by: Richard Wall <richard.wall@venafi.com>
@jetstack-bot jetstack-bot added kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Dec 11, 2023
@wallrj wallrj changed the base branch from master to release-1.13 December 11, 2023 17:18
@jetstack-bot jetstack-bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Dec 11, 2023
@wallrj
Copy link
Member Author

wallrj commented Dec 11, 2023

/retest

@jetstack-bot
Copy link
Collaborator

@wallrj: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-master-chart d2c7b9f link true /test pull-cert-manager-master-chart
pull-cert-manager-master-license d2c7b9f link false /test pull-cert-manager-master-license
pull-cert-manager-master-e2e-v1-28 d2c7b9f link true /test pull-cert-manager-master-e2e-v1-28
pull-cert-manager-master-e2e-v1-28-upgrade d2c7b9f link true /test pull-cert-manager-master-e2e-v1-28-upgrade

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Dec 11, 2023
@wallrj wallrj requested a review from maelvls December 11, 2023 17:24
@maelvls
Copy link
Member

maelvls commented Dec 11, 2023

Thanks for the detailed information. Does this need to be released in 1.13.4 immediately or can we wait?

/lgtm
/approve

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Dec 11, 2023
@jetstack-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 11, 2023
@jetstack-bot jetstack-bot merged commit 63ce18a into cert-manager:release-1.13 Dec 11, 2023
6 checks passed
@wallrj wallrj deleted the release-1.13-go-1.20.12 branch December 11, 2023 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maelvls maelvls Awaiting requested review from maelvls

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wallrj @jetstack-bot @maelvls