Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rebuild with golang v1.18.6 or higher #224

Closed
dkistner opened this issue Oct 10, 2022 · 7 comments
Closed

Rebuild with golang v1.18.6 or higher #224

dkistner opened this issue Oct 10, 2022 · 7 comments

Comments

@dkistner
Copy link

Our image scanner detected some golang related findings (e.g. CVE-2022-27664) in the latest release v2.5.1 which can be fixed by rebuilding with golang v1.18.6 or higher.

Is there a way to upgrade to golang v1.18.6, build and publish an upgraded version?

If I understand the build process correctly the binary is build with the go version which is used in the corresponding pipeline (in this case v1.17.3) and then copied to build the corresponding image.
@mauriciopoppe mauriciopoppe mentioned this issue Oct 10, 2022
Merged
@dkistner
Copy link
Author

@mauriciopoppe Thanks for #225
Is it planned to have a new release build on the updated golang version?

@mauriciopoppe
Copy link
Member

yes, I'm going to work on the release and hopefully be done this week or next week

@mauriciopoppe
Copy link
Member

We released v2.6.0, checked that it's available with docker pull k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.0

@dkistner
Copy link
Author

Thanks for the new release. Unfortunately the image k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.0 seems still to build with < v1.18.6 and has therefore golang related CVEs like CVE-2022-27664.
Is there a way to build it with v1.18.6 or higher?

@mauriciopoppe
Copy link
Member

Thanks for letting me know, It looks like the latest version of https://github.com/kubernetes-csi/csi-release-tools/blob/master/prow.sh#L89 isn't in this repo https://github.com/kubernetes-csi/node-driver-registrar/blob/master/release-tools/prow.sh#L89.

Build logs: https://storage.googleapis.com/kubernetes-jenkins/logs/canary-node-driver-registrar-push-images/1584681211740033024/artifacts/build.log

I think I could pull that subtree and create a new patch release for the fix.

@mauriciopoppe mauriciopoppe reopened this Oct 31, 2022
@mauriciopoppe
Copy link
Member

Building with 1.19 should happen with #224 merged, I'll create a new patch release in the branch release-2.6

@mauriciopoppe mauriciopoppe mentioned this issue Nov 9, 2022
Merged
@luhi-DT luhi-DT mentioned this issue Nov 20, 2022
Closed
@mauriciopoppe
Copy link
Member

These releases should be built with 1.19

sunnylovestiramisu added a commit to sunnylovestiramisu/node-driver-registrar that referenced this issue Apr 26, 2023
@sunnylovestiramisu
Squashed 'release-tools/' changes from 6613c398..4133d1df
e2fb436 
4133d1df Merge pull request kubernetes-csi#226 from msau42/cloudbuild
8d519d23 Pin buildkit to v0.10.6 to workaround v0.11 bug with docker manifest
6e04a030 Merge pull request kubernetes-csi#224 from msau42/cloudbuild
26fdfffd Update cloudbuild image

git-subtree-dir: release-tools
git-subtree-split: 4133d1df083eaa65bdeddd0530d54278529c7a60
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mauriciopoppe @dkistner