Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-1996: Bump k8s.io/x and github.com/emicklei/go-restful/v3 #112

Merged
merged 2 commits into from Nov 20, 2023
Merged

CVE-2022-1996: Bump k8s.io/x and github.com/emicklei/go-restful/v3 #112

merged 2 commits into from Nov 20, 2023

Conversation

oshoval
Copy link
Contributor

@oshoval oshoval commented Nov 20, 2023
edited

What this PR does / why we need it:
Had to update k8s.io family so new go-restful can be used.

CVE-2022-1996, CWE-285
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMEMICKLEIGORESTFULV3-2435654

Special notes for your reviewer:
Fixed makefile missing phony, removed touches

Release note:

None

@kubevirt-bot kubevirt-bot added release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Nov 20, 2023
@oshoval
Copy link
Contributor Author

oshoval commented Nov 20, 2023
edited

https://prow.ci.kubevirt.io/view/gs/kubevirt-prow/pr-logs/pull/kubevirt_macvtap-cni/112/pull-macvtap-cni-unit-test/1726598715055017984

# k8s.io/client-go/applyconfigurations/meta/v1
vendor/k8s.io/client-go/applyconfigurations/meta/v1/unstructured.go:64:38: cannot use doc (variable of type *"github.com/google/gnostic/openapiv2".Document) as type *"github.com/google/gnostic-models/openapiv2".Document in argument to proto.NewOpenAPIData
?   	github.com/kubevirt/macvtap-cni/cmd/cni	[no test files]
?   	github.com/kubevirt/macvtap-cni/cmd/deviceplugin	[no test files]

it fails compilation but the CI didnt check it

@maiqueb FYI (CI should catch it regardless of this PR)

https://prow.ci.kubevirt.io/view/gs/kubevirt-prow/pr-logs/pull/kubevirt_macvtap-cni/112/pull-macvtap-cni-e2e-k8s/1726598715075989504
did catch it

/hold

@kubevirt-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maiqueb, oshoval

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Nov 20, 2023
@oshoval oshoval force-pushed the CVE-2022-1996 branch 2 times, most recently from 9eb0e18 to f7c940b Compare November 20, 2023 13:58
@oshoval oshoval changed the title CVE-2022-1996: Bump github.com/emicklei/go-restful CVE-2022-1996: Bump github.com/emicklei/go-restful/v3 Nov 20, 2023
@oshoval
Copy link
Contributor Author

oshoval commented Nov 20, 2023
edited

not good yet
might need to bump more things (kubernetes/client-go#1084 (comment))
closing for now

there is open issue about it for some people
kubernetes/client-go#1313

@oshoval oshoval closed this Nov 20, 2023
@oshoval oshoval reopened this Nov 20, 2023
@oshoval oshoval force-pushed the CVE-2022-1996 branch 2 times, most recently from 9bf0b90 to f2d52ea Compare November 20, 2023 14:28
@oshoval
Makefile: Add PHONY and remove touch
e49a3ea 
Signed-off-by: Or Shoval <oshoval@redhat.com>
@oshoval
CVE-2022-1996: Bump github.com/emicklei/go-restful
6fbc47f 
Signed-off-by: Or Shoval <oshoval@redhat.com>
@oshoval
Copy link
Contributor Author

oshoval commented Nov 20, 2023

/hold cancel

ptal

@kubevirt-bot kubevirt-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 20, 2023
@oshoval oshoval changed the title CVE-2022-1996: Bump github.com/emicklei/go-restful/v3 CVE-2022-1996: Bump k8s.io/x and github.com/emicklei/go-restful/v3 Nov 20, 2023
@maiqueb
Copy link
Collaborator

maiqueb commented Nov 20, 2023

/lgtm

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Nov 20, 2023
@kubevirt-bot kubevirt-bot merged commit d9bd434 into kubevirt:main Nov 20, 2023
4 of 5 checks passed
@oshoval
Copy link
Contributor Author

oshoval commented Nov 23, 2023

btw after checking the previous go-restful version was already fine in respect to mentioned CVE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maiqueb maiqueb maiqueb approved these changes

@phoracek phoracek Awaiting requested review from phoracek

Assignees

@maiqueb maiqueb

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@oshoval @kubevirt-bot @maiqueb