[Snyk] Security upgrade golang from 1.6 to 1.23.0 #279
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
During the QE process for this feature, it was discovered that there are some bugs preventing the proper creation of a ClusterDeployment in some environments. The owner of the ClusterDeployment has been changed to the AgentServiceConfig as it should be and a permission has been added to permit "ManagedClusterSet/join" as this is required to be able to create a ClusterDeployment. Co-authored-by: Paul Maidment <[email protected]>
openshift#5502) https://issues.redhat.com/browse/MGMT-15559 Day 2 workers create BMH and Machine CRs on the spoke cluster when the host starts installing. The non-converged flow initially added the detached annotation for the BMH when the host starts installing too. This causes the BMH to stop being reconciled so the BMH and Machine CRs aren't created in the spoke cluster. This change adds the detached annotation when the host reaches rebooting, joined, or failed instead of installing so that it doesn't conflict with adding the BMH/Machine to the spoke cluster. Co-authored-by: CrystalChun <[email protected]>
Email domain was set to Unknown by default for clusters. This modifies the check for that and ensures it's set to an actual email domain for on-prem event uploading. Co-authored-by: CrystalChun <[email protected]>
Co-authored-by: CrystalChun <[email protected]>
Signed-off-by: Riccardo piccoli <[email protected]> Co-authored-by: Riccardo piccoli <[email protected]>
* MGMT-14409: generate image short URL * make clear that ParseDownloadURL is best-effort --------- Co-authored-by: Adrien Gentil <[email protected]>
Add adriengentil in order to align the configuration with other assisted repos.
Add short URL routes into the ingress object when deploying through the scripts. Co-authored-by: Adrien Gentil <[email protected]>
…penshift#5547) This fix handles cluster updates that patch UMN and VIPs at the same request. There was an issue in which the code overrode an empty VIPs array (which is how VIPs should get deleted) with a nil, indicating no update to this field. This change also includes tests that validate those exact scenarios. Co-authored-by: Nir Magnezi <[email protected]>
…n cluster deployment (openshift#5568) Assisted service will watch for hive.openshift.io/reconcile-pause annotation on cluster deployment in addition to the existing hold installation field in agent cluster install, the reason for the duplication is and integration with Ansible in ACM product that is not longer maintained so the implementation is done in Assisted The logic will check both fields on day1 installation and if one of them is set the installation will be paused Co-authored-by: Michael Filanov <[email protected]>
) In order to enable ValidatingWebhook on InfraEnv creation, added 'Create' to operations list. Co-authored-by: Daniel Erez <[email protected]>
The 'validateClusterDeployment' func is ensuring that ImageSetRef is specified for day1 cluster. Thus, it should be called before trying the create a cluster. This change moves the validation and fixing the day1 unit-test. Note that test passed before as it didn't check for a specific error. I.e. it actually failed due to 'Missing reference to pull secret'. Co-authored-by: Daniel Erez <[email protected]>
This will be released in ACM 2.10 and is being disabled by default for now.
Signed-off-by: Riccardo piccoli <[email protected]>
Signed-off-by: Riccardo piccoli <[email protected]>
…ft#5656) Co-authored-by: Nir Magnezi <[email protected]>
…ow (openshift#5663) The validator function CheckPlatformWrongParamsInput compares HighAvailabilityMode when it is possibly still nil. This fix is to access it safely. Co-authored-by: Nir Magnezi <[email protected]>
https://issues.redhat.com/browse/MGMT-16001 Recently there have been errors running the reclaim agent when unbinding due to the daemonset's container's name containing dots. This replaces all dot characters `.` with underscore characters `_`. Co-authored-by: CrystalChun <[email protected]>
The commit db30aab attempted to add TLS to the service monitor but it forgot to change the scheme to https and this was noticed during QE for the ticket associated with that commit Solves MGMT-14756 Co-authored-by: Omer Tuchfeld <[email protected]>
https://issues.redhat.com/browse/MGMT-16001 Originally replaced all periods `.` with an underscore `_` character, which is actually not allowed. Now all periods will be replaced by a dash character `-`. Co-authored-by: CrystalChun <[email protected]>
* MGMT-16047: update baremetal-operator to 4.14 One of the major changes is controlelr-runtime verison * Cache functioanlity updated * Admission decoder does not return an error * Chaning deprecated PollImmediate function to PollUntilContextTimeout * Controller wait funtion signature have changed to get object instead of kind * Switching pointer package to use generic ptr * Generated webhook validation function signature changed * Add SubResource interface mock client * Fix controller UT after update to new controller runtime verseion Status.Update will not work unless the resource is added to WithStatusSubresource * change deprecated controller port field to webhook server configuration * MGMT-16047: update baremetal-operator to 4.14 go mod and vendor update generic-admission-server to master
Becuase of a recover function in V2UpdateHostIgnition if a panic occurs then a controller will get nil as a reply and assume that the call didn't fail, it casued a hot loop that tried to update the ignition again and again, because and event was called before the panic and before the ignition was commited we ended up with 95 million events before we ran out of space on the disk This commit will remove the recover in order to return a proper error and fail the service if tehre is a painc The pacin was caused by calling setIgnitionConfigOverrideUsage and assuming that cluster ID exists, added a validation for the cluster id before using it. added unit tests to check functionality to unbound host Co-authored-by: Michael Filanov <[email protected]>
app-sre made their repo mirroring golangci-lint for legal reasons, and now out jobs are failing to install it. Installing it now from the cli. We could also have pulled golangci-ling from dockerhub, but rate limitation there is quite aggressive. Co-authored-by: Adrien Gentil <[email protected]>
…in order to meet single ip installation flow for ibu (openshift#5789) * MGMT-16061: changing dnsmasq configuration for sno in order to meet single ip installation flow for ibu Change dnsmasq configuration to use template and set ip to single-node.conf taken from nodeip-configuration primary ip file Allow setting new ip to force dns dispatcher script * MGMT-16061: changing dnsmasq configuration for sno in order to meet single ip installation flow for ibu Improving adding an option to override domain
…t#5823) Before this change a user would get an error if, for example, arm64 was provided in the infraenv, but aarch64 was provided in the BMH when in reality those should match. Resolves https://issues.redhat.com/browse/MGMT-16047 Co-authored-by: Nick Carboni <[email protected]>
When deleting an NMStateConfig CR, the discovery ISO and static network config are not updated accordingly. I.e. the previous config remains intact. Hence, ensure that the StaticNetworkConfig is emptied when the CR is deleted (set on InfraEnvUpdateParams). Co-authored-by: Daniel Erez <[email protected]>
… it in IBI process (openshift#5882) Co-authored-by: Igal Tsoiref <[email protected]>
) (openshift#5936) https://issues.redhat.com/browse/OCPBUGS-27376 RFC 1034 initially stated domain names should only start with a letter, but that was later revised by RFC 1123. Updates the domain regex to allow domains to start with a number. Also adds a check to prevent dotted decimal domains. Includes changes that also check for the length of domains. RFC 1123 also states that a label must be no more than 63 characters and a full domain must be no more than 255 characters.
…5951) (openshift#5962) https://issues.redhat.com/browse/MGMT-14226 Upgrades go dependency github.com/docker/docker to 20.10.24 to fix CVE. GHSA-33pg-m6jh-5237
…enshift#5970) CVE-2023-49568 and CVE-2023-49569 both detail vulnerabilities in versions of https://github.com/go-git/go-git less than version v5.11 Presently assisted-installer depends on this library due to the following dependency chain. github.com/containers/image/[email protected] depends on github.com/sylabs/sif/[email protected] github.com/sylabs/sif/[email protected] depends on github.com/sylabs/[email protected] github.com/sylabs/[email protected] depends on github.com/go-git/go-git/[email protected] From v2.5.0 github.com/sylabs/sif no longer depends on github.com/sylabs/[email protected] The solution in this PR is as follows: github.com/containers/image/[email protected] is the closest revision we can upgrade to that uses github.com/sylabs/sif/v2 > v2.5.0 thus removing the go-git dependency altogether and resolving both CVEs. Co-authored-by: Paul Maidment <[email protected]>
The `github.com/containers/image/v2/docker/reference` implementation is deprecated in favour of `github.com/distribution/reference` In support of CVE work and good consistency, this reference has been updated to remove the deprecated library and use the new one.
…ilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-DEBIAN8-GIT-340820 - https://snyk.io/vuln/SNYK-DEBIAN8-GIT-340820 - https://snyk.io/vuln/SNYK-DEBIAN8-GIT-340873 - https://snyk.io/vuln/SNYK-DEBIAN8-GIT-340873 - https://snyk.io/vuln/SNYK-DEBIAN8-GIT-340907
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to fix 3 vulnerabilities in the dockerfile dependencies of this project.
Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.
Snyk changed the following file(s):
vendor/github.com/buger/jsonparser/DockerfileWe recommend upgrading to
golang:1.23.0, as this image has only 89 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.Vulnerabilities that will be fixed with an upgrade:
SNYK-DEBIAN8-GIT-340820
SNYK-DEBIAN8-GIT-340820
SNYK-DEBIAN8-GIT-340873
SNYK-DEBIAN8-GIT-340873
SNYK-DEBIAN8-GIT-340907
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal
🦉 Open Redirect