Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address CVE-2022-1996 #394

Merged

Conversation

datamattsson
Copy link

@datamattsson datamattsson commented Dec 8, 2022

Signed-off-by: Michael Mattsson [email protected]

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:

Addresses CVE-2022-1996

Which issue(s) this PR fixes:

Fixes #369

Special notes for your reviewer:

Slack thread: https://kubernetes.slack.com/archives/C09QZFCE5/p1670445226176689

Does this PR introduce a user-facing change?:

Updated dependencies to address CVE-2022-1996.

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Dec 8, 2022
@k8s-ci-robot
Copy link
Contributor

Welcome @datamattsson!

It looks like this is your first PR to kubernetes-csi/external-attacher 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-csi/external-attacher has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Dec 8, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @datamattsson. Thanks for your PR.

I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Dec 8, 2022
@bswartz
Copy link

bswartz commented Dec 8, 2022

Is it possible to not bump the go version from 1.16 to 1.18? For a stable release we don't want to change unnecessary things like compiler versions, due to the chance that the new compiler breaks something that used to work (due to deprecation).

@msau42
Copy link
Collaborator

msau42 commented Dec 8, 2022

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 8, 2022
go.mod Outdated Show resolved Hide resolved
@datamattsson
Copy link
Author

Is it possible to not bump the go version from 1.16 to 1.18?

1.16 has a cascade of CVEs associated with it in some of the indirect dependencies. Is 1.17 a middle road?

@bswartz
Copy link

bswartz commented Dec 9, 2022

Is it possible to not bump the go version from 1.16 to 1.18?

1.16 has a cascade of CVEs associated with it in some of the indirect dependencies. Is 1.17 a middle road?

Even the latest dot release - 1.16.15? If there are known unpatched security vulnerabilities then I agree it wouldn't make much sense to continue using the old compiler version in a patch that specifically addresses security vulnerabilities, but we should want to avoid upgrading anything that might deprecate existing support because nobody wants to do a dot release upgrade (of this sidecar) and find that something broke.

I'm not specifically aware of anything that was dropped between go version 1.16 and 1.17/1.18, but that's the thing to worry about.

@datamattsson
Copy link
Author

Even the latest dot release - 1.16.15?

Changing go.mod from 1.17 to 1.16 and running go mod tidy && go mod vendor in between will reveal this report: https://gist.github.com/datamattsson/e1038144465ace0177dd8b904e9de278

Yesterday, 1.17 was clean as a whistle but today CVE-2022-41717 in golang.org/x/net was discovered (not relevant to the attacher AFAICT).

@datamattsson
Copy link
Author

nobody wants to do a dot release upgrade (of this sidecar) and find that something broke.

This is why we test. Any sidecar upgrade, major, minor or patch would require full e2e on our end and expect the same results. I don't think users blindly flick an image upgrade before safely testing the new image.

@bswartz
Copy link

bswartz commented Dec 9, 2022

This is why we test. Any sidecar upgrade, major, minor or patch would require full e2e on our end and expect the same results. I don't think users blindly flick an image upgrade before safely testing the new image.

Given the CVEs associated with older go compiler versions, I'm not going to oppose an update here, but did want to push back on the idea that testing is sufficient in every case. Testing covers a lot of use cases but typically only in a single (or small number of) configurations. More exotic configurations tend not to be tested, and deprecations tend to affect exotic configurations more than anything. It's a good rule in general to avoid updating things in stable branches without an explicit reason. In this case our explicit reason is security issues with the compiler, so I'm fine with that.

@datamattsson datamattsson requested review from msau42 and removed request for xing-yang and j-griffith December 9, 2022 20:23
Signed-off-by: Michael Mattsson <[email protected]>
@datamattsson
Copy link
Author

Will this PR be merge-able at one point? (I understand 1.26 deliverables takes precedence).

@jsafrane
Copy link
Contributor

jsafrane commented Jan 2, 2023

/retest

@jsafrane
Copy link
Contributor

jsafrane commented Jan 2, 2023

/test all

@jsafrane
Copy link
Contributor

jsafrane commented Jan 2, 2023

I'm fixing CI in #401

@jsafrane
Copy link
Contributor

jsafrane commented Jan 3, 2023

/test all

@jsafrane
Copy link
Contributor

jsafrane commented Jan 3, 2023

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 3, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: datamattsson, jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 3, 2023
@k8s-ci-robot k8s-ci-robot merged commit 9b4f2b6 into kubernetes-csi:release-3.5 Jan 3, 2023
@jsafrane
Copy link
Contributor

jsafrane commented Jan 3, 2023

Is it possible to not bump the go version from 1.16 to 1.18?

version in go.mod just specifies version of go vendoring rules that will be used by go mod. The actual compiler used to build the image is defined either in cloudbuild.yaml or in prow.sh, both taken from the latest release-tools merge. It's not bound to the branch in any way. I can't tell if it is good or bad, just reporting the process.

@datamattsson datamattsson deleted the cve-2022-1996 branch January 3, 2023 18:53
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
No open projects
Status: PRs Approved
Development

Successfully merging this pull request may close these issues.

5 participants